Wireless LAN Security · The interim Cisco solution while awaiting 802.11i . 2001 : Cisco, IEEE 802.1x Extensible Authentication Protocol (EAP) Wi-Fi Protected Access (WPA) 2003

22 September 2015 www.infosecawareness.in

Wireless LAN Security

1


Objectives What is WLAN & Wi-Fi? --Architecture & Components of WLAN --Difference between WLAN and Wi-Fi

Need for Security in WLAN Security Standards in WLAN --WEP,WPA, WPA2, WPS

Security Threats --DoS Attacks, Rogue AP, Dictionary Attacks, Wireless Sniffing, Free Tools of Wireless Cracking --Aircrack-ng,Reaver

2


WLAN Wireless Computer Network connecting 2 or more

Devices using a Wireless Distribution mechanism.

WLAN's are based on IEEE 802.11 standards

Range of WLAN is limited to few 100m like Home, Office etc.,

Gained popularity due to ease of installation(less number of cables required), Scalability, High Data Rates, Mobility

3


Wi-Fi Wi-Fi called as "Wireless Fidility" is a Trademark

named used by Wi-Fi alliance Wi-Fi Alliance checks and certifies the WLAN

devices for interoperability. Devices passing the test can use "Wi-Fi Certified"

trademark Logo used by Wi-Fi Alliance

4


Architecture & Components

5

Laptop with wireLess Network Card

MobiLe phoNe

aCCess poiNt

INTERNET

Wired Connectivity


Need for Security in WLAN WLAN's are prone to following Vulnerabilities: Eaves Dropping - Data sent over wireless traffic can be captured in

the range of AP's and from a distance using directional antennas. DoS Attacks - Usage of Unlicensed bands may result in DoS Attacks

due to conjunction in the traffic War Dialing - Attackers can easily identify Security protocols used

by AP's on their way to office or home or by travelling a bus Rogue AP - Access Points configured with same type of Encryption

and Authentication can lead to Man in the Middle attacks Ad-Hocs & Wifi Hotspots with weak encryption created in Wireless

Clients can lead intruders into Organizational or Home Networks

6


Security Standards Following Security Standards have been implemented

to protect the Data communicated through wireless networks.

7

Name Year Who Defined It

Wired Equivalent Privacy (WEP) 1997 IEEE

The interim Cisco solution while awaiting

802.11i 2001 Cisco, IEEE 802.1x Extensible

Authentication Protocol (EAP)

Wi-Fi Protected Access (WPA) 2003 Wi-Fi Alliance

802.11i (WPA2) 2005+ IEEE

WPS 2006 Wi-Fi Alliance


WEP (Wired Equivalent Privacy) Original Security Standard designed to maintain

the confidentiality of data over wireless

Encryption: It uses RC4 Stream Cipher for Confidentiality CRC-32 Checksum for Data Integrity

Authentication:

It supports Open Authentication & Shared Key Authentication

8


WPA (Wi-Fi Protected Access) Referred as 802.11i standard developed by Wi-Fi Alliance in

response to poor encryption used with WEP

Encryption: Temporal Key Integrity Protocol (TKIP) for encrypting data frames Michael is an algorithm used to verify the integrity of the

messages which is stronger and more efficient than CRC used in WEP.

Authentication:

Supports Pre-Shared Key (PSK) for normal Home Users or Small Organizations and also 802.1X standard for more complex authentications 9


WPA2(Wi-Fi Protected Access II) Developed by Wi-Fi Alliance using more stronger encryption to strength

the security of WPA

Encryption: Data frames are encrypted using "Counter Cipher Mode with block

chaining message authentication code Protocol(CCMP)" as AES based encryption technique

CCMP is Stronger when compared to TKIP used in WPA

Authentication: Supports Pre-Shared Key (PSK) for normal Home Users or Small

Organizations and also 802.1X standard for more complex authentications

To allow high bit rates 54Mbits/s (802.11n Standard) it is mandatory to use WPA2 Encryption

10


WPS (Wi-Fi Protected Setup Designed by Wi-Fi for Simple implantation to add clients in the Wireless

Network Designed keeping in view of home users who know very less about

wireless Security Clients can be added using

A PIN A Push Button NFC Method USB Method

Threats: WPS poses a serious threat as the 6 Digit PIN provided with the Access Point is

prone to Brute force Attack Bypasses WPA and WPA2 protocols and their Pre-Shared Key can be obtained if

Brute force attack is Successful Some of Devices have no provision to "Disable WPS"

22 September 2015 www.infosecawareness.in 12

Security Standard Encryption Key Strength Threats

WEP RC4

WEP-64bit (Standard Implementation)

64bit(40bit Key+24bit Initialization Vectors[IV's])

•RC4 Key can be obtained due to poor encryption mechanism

•Shared Key Authentication can only be used creating problems in handling compromises

•Wireless Sniffing, Packet Injection, Spoofing

•WEP is Outdated and Should not be used

WEP-128, WEP-256

Extended Implementations by vendors once restriction over Key Size has been removed

WPA TKIP 128-Bit

•Short Packet Spoofing - Packets with small length with known contents like ARP messages can be decrypted due to vulnerability in TKIP implementation

•Relying on Weak passwords and Passphrases for shared keys have a risk of Bruteforce Attack

•DoS Attacks, Packet Injection

WPA2 CCMP (AES) 128-Bit

•Prone to Brute force attack as WPA if users rely on weak passwords and Passphrases

•Hole 196 is a Vulnerability posing threat for a Denial of Service Attack and Man in the Middle Attack


Tools are available freely for cracking Wireless Security Protocols

Aircrack-ng - Most widely used to crack WEP Key

Air dump-ng - Used for Packet Capturing suitable for capturing IV's (Initialization Vectors) used to crack WEP key

Aireplay-ng - Used to inject Frames Reaver - Bruteforces Access Points for WPS

Pin

TOOLS

13

© ClubHack http://clubhack.com

Types of Security OPEN : No security configured X Obviously not advised Data is in the air in plain text and anyone can read it

WEP : Wired Equivalent privacy X Was broken years ago and takes 15 min to break in Very week and not recommended Accepts only hexadecimal password


Types of Security… WPA: Wi-Fi Protected Access √ Much better than WEP Accept long password and with all possible

combinations Easy to setup, as easy as WEP Available in all the common wi-fi routers A must for all home users Will take a looong time to break in


Types of Security… WPA2: Advance Wi-Fi Protected Access √√ Better than WPA Takes little more pain to setup Advised in corporate environments Strong encryption and authentication support


Wireless Security Standards


Description of WEP Protocol

WEP relies on a shared secret key (64 bit/128 bit) which is shared between the sender (client) and the receiver (Access Point). Secret Key - to encrypt packets before they are transmitted Integrity Check - to ensure packets are not modified in transit. The standard does not discuss how shared key is established. In practice, most installations use a single key which is shared between all mobile stations and access points.

18


CHAP Authentication

Supplicant Authenticator

username

challenge

response

Accept/reject

How WEP works

IV

RC4 key

IV encrypted packet

original unencrypted packet checksum


Immediate Solution WPA Easy to configure Every home router has this No special hardware or software required Boost security level to a comfortable level


How to configure WPA Open the configuration of your wi-fi device Go to wireless setting Under security option, select any one WPA WPA-PSK WPA-Personal WPA2-Personal

Set a complex password Change the login password of the wireless

router. Done


Example : Linksys


Example : Netgear


Example : ZyXEL


Look for this


Further Advised Change the router login password frequently Atleast once a month

Change the wireless WPA password also Atleast once a month

Avoid temptation to connect to open wireless just looking for free internet.


What’s next (added security) We can configure DHCP more tightly. Lets not keep an open pool where any one can

connect Example

I have 3 machines in my home (desktop/laptop/phone) I’ll create a IP pool of 3 IPs only I’ll do DHCP reservation using the MAC of these 3 IP Effectively I’m not allowing any outsider machine to

connect


What’s next (added security) … We can configure MAC binding. Allow only MY machines to connect Many access points support MAC binding Any other machine will not be able to connect to my

Wi-Fi


Not only terrorism, what else Connected to open network?? Attacker can read your mails Attacker can see your password (even gmail) Attacker can see your credit card numbers Attacker can access confidential information on your

computer Attacker can chat with your girlfriend posing as you.


So… 6 easy steps to counter 95% of attack on your wi-

fi

Secure your wi-fi today.

Documents

Wireless LAN Security · The interim Cisco solution while awaiting 802.11i . 2001 : Cisco, IEEE 802.1x Extensible Authentication Protocol (EAP) Wi-Fi Protected Access (WPA) 2003