Hacking Wireless Networks Flashcards
WLAN encryption and OSI model
In terms of 802.11, encryption occurs at Layer 2 (WLAN addressing, 802.11 frames.
802.11 operates at layers 1( Transmission Tech: OFDM, DSSS etc) and 2
Other methods of encryption are built into higher layers of the OSI model.
Wireless Network Security Challenges
Public Broadcast - Anyone can listen
Encrypt data in transit
Use Strong Encryption
Sender -> Key -> Recipient
Ultimately need to develop a long, randomised key that is difficult to guess, has a short life and effectively encrypts the data
Non Repudiation - Guarantees that the data is received by the intended reipient or proving that the data is from a known and trusted sender. We can use additional cert for non repudiation
Data Integrity - How can we determine if data has been read or manipulated during transmission (MITM attack)
Wireless Network - WEP
WEP (Wired Equivalent Privacy)
64 bit WEP ( 40 bit key + 24 bit IV) or 128 bits WEP (104 bit key + 24 bit IV)
IV part of RC4 Encryption
IV Sent in Plaintext
2001 - Vulnerabilities published:
First Bytes of Keystream - Strongly non-random
Poor Randomisation
Guess the WEP key
Static Key
Weak Integrity Check Value (ICV)
32 bit Value (CRC 32)
Do not use WEP on a WLAN!!
Explain what is happening in WEP security process in this photo
The IV (Initialisation Vector) is generated
This will then be used wit the WEP key to create a key stream
Simultaneously the RC4 algorithm is used to generate this key stream.
An integrity check sum value is calculated based on the data
The data is then encrypted using the key stream
Encrypted data is then transmitted with the IV in the data frame
The IV is a random no. that is 24 bits long
WEP key = 40/104 bits or can be 128 bits
IV and WEP key combined and used in RC4 algorithm
RC4 algorithm comprised of 2 separate algorithms (KSA Key Sharing Algorithm) and (PRGA Pseudo Random Generated Algorithm)
This produces the KEY STREAM
The KSA algorithm initialises the PRGA algorithm
What is the FMS Attack
Fluhrer, Mantin and Shamir Attack
Found weakness in RC4 Key scheduling Algorithm
Airsnort and Aircrack
Crack WEP WLANs
ARP Request Replay Attack
Generate New Initialization Vectors (IVs)
Listens for an ARP Packet -> Retransmits it to AP
AP -> Packet with New IV
Crack WEP key
WPA/WPA2
Needed to replace WEP
Interim Solution
Authentication preshared key (PSK)
256 bits
8 - 63 ASCII Chars (Password)
PSK is Static (Not regularly updated)
PSK is Cached (Can determine PSK)
No Lockout on WLAN - Bruteforce/ Dictionary Attack
WPA uses RC4 with TKIP (Temporal Key Integrity Protocol)
WPA - Every packet has a unique encryption key
Introduced in 2004
WPA2 - RC4 replaced by AES (Advanced Encryption Standard)
WPA2 - TKIP replaced by CCMP - counter mode with cypher block chaining
WPA2 - Enterprise Integrated with 802.11 - Radius Server (Remote Authentication Dial in Service) Networking protocol 1812
Describe 802.1x Enterprise Authentication
Each user has a separate login/password for WLAN Authentication
Central AAA server for remote domain users
RADIUS / TACACS+ for Authentication
EAP (Extensible Authentication Protocol) - Multi Factor Authentication
PEAP (Protected Extensible Authentication Protocol)
Digital Certificates
Smartcard/Biometric Identification/ Tokens
WPA and WPA2
Scalable Authentication
Users Authenticated by MSCHAPV2
Authentication: RADIUS or Kerberos
Roam with ESSID (Extended service set identifier)
Supports wireless VLANS
Protocols also supports discovery of rogue access points - determine if individuals plug into unauthorised access points