Hacking Wireless Networks

Question 1

WLAN encryption and OSI model

Answer 1

In terms of 802.11, encryption occurs at Layer 2 (WLAN addressing, 802.11 frames.
802.11 operates at layers 1( Transmission Tech: OFDM, DSSS etc) and 2
Other methods of encryption are built into higher layers of the OSI model.

Question 2

Wireless Network Security Challenges

Answer 2

Public Broadcast - Anyone can listen
Encrypt data in transit
Use Strong Encryption
Sender -> Key -> Recipient

Ultimately need to develop a long, randomised key that is difficult to guess, has a short life and effectively encrypts the data

Non Repudiation - Guarantees that the data is received by the intended reipient or proving that the data is from a known and trusted sender. We can use additional cert for non repudiation

Data Integrity - How can we determine if data has been read or manipulated during transmission (MITM attack)

Question 3

Wireless Network - WEP

Answer 3

WEP (Wired Equivalent Privacy)
64 bit WEP ( 40 bit key + 24 bit IV) or 128 bits WEP (104 bit key + 24 bit IV)
IV part of RC4 Encryption
IV Sent in Plaintext

2001 - Vulnerabilities published:
First Bytes of Keystream - Strongly non-random
Poor Randomisation
Guess the WEP key

Static Key

Weak Integrity Check Value (ICV)
32 bit Value (CRC 32)

Do not use WEP on a WLAN!!

Question 4

Explain what is happening in WEP security process in this photo

Answer 4

The IV (Initialisation Vector) is generated
This will then be used wit the WEP key to create a key stream
Simultaneously the RC4 algorithm is used to generate this key stream.
An integrity check sum value is calculated based on the data
The data is then encrypted using the key stream
Encrypted data is then transmitted with the IV in the data frame
The IV is a random no. that is 24 bits long
WEP key = 40/104 bits or can be 128 bits
IV and WEP key combined and used in RC4 algorithm

RC4 algorithm comprised of 2 separate algorithms (KSA Key Sharing Algorithm) and (PRGA Pseudo Random Generated Algorithm)
This produces the KEY STREAM

The KSA algorithm initialises the PRGA algorithm

Question 5

What is the FMS Attack

Answer 5

Fluhrer, Mantin and Shamir Attack

Found weakness in RC4 Key scheduling Algorithm
Airsnort and Aircrack
Crack WEP WLANs

Question 6

ARP Request Replay Attack

Answer 6

Generate New Initialization Vectors (IVs)
Listens for an ARP Packet -> Retransmits it to AP
AP -> Packet with New IV
Crack WEP key

Question 7

WPA/WPA2

Answer 7

Needed to replace WEP
Interim Solution
Authentication preshared key (PSK)
256 bits
8 - 63 ASCII Chars (Password)
PSK is Static (Not regularly updated)
PSK is Cached (Can determine PSK)
No Lockout on WLAN - Bruteforce/ Dictionary Attack

WPA uses RC4 with TKIP (Temporal Key Integrity Protocol)
WPA - Every packet has a unique encryption key
Introduced in 2004

WPA2 - RC4 replaced by AES (Advanced Encryption Standard)
WPA2 - TKIP replaced by CCMP - counter mode with cypher block chaining
WPA2 - Enterprise Integrated with 802.11 - Radius Server (Remote Authentication Dial in Service) Networking protocol 1812

Question 8

Describe 802.1x Enterprise Authentication

Answer 8

Each user has a separate login/password for WLAN Authentication
Central AAA server for remote domain users
RADIUS / TACACS+ for Authentication
EAP (Extensible Authentication Protocol) - Multi Factor Authentication
PEAP (Protected Extensible Authentication Protocol)
Digital Certificates
Smartcard/Biometric Identification/ Tokens

WPA and WPA2
Scalable Authentication
Users Authenticated by MSCHAPV2
Authentication: RADIUS or Kerberos
Roam with ESSID (Extended service set identifier)
Supports wireless VLANS

Protocols also supports discovery of rogue access points - determine if individuals plug into unauthorised access points