H a c k i n g W i r e l e s s N e t w o r k s
M o d u l e 1 5
Engineered by Hackers. Presented by Professionals.
C E H ^
CcrtifM EthKal
E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 5 : H a c k i n g W i r e l e s s N e t w o r k s
C E H S e c u r i t y N e w s S m a r t p h o n e W i- F i S e a r c h e s O f f e r M a s s i v e 04 October 2012 N e w D a t a L e a k a g e V e c t o r O u r m o b ile p h o n e s a re u n w i t t i n g l y g iv in g a w a y t h r e a t v e c to r s t o w o u l d - b e h a c k e rs (a n d , f o r t h a t m a tte r , p h y s ic a l c r im in a ls as w e ll) , o ff e r in g c r im in a ls a n e w w a y t o t a p in f o r m a t io n h o u s e d o n s m a r tp h o n e s . A c c o r d in g t o r e s e a r c h e r a t S o p h o s , t h e a b i l i t y o f s m a r t p h o n e s t o r e ta in id e n t if ie r s f o r t h e t r u s te d W i- Fi n e t w o r k s t h e y a tt a c h t o a u t o m a t i c a ll y o ff e r s c r im in a ls a w i n d o w in t o d a il y h a b it s a n d e x p lo it a b le i n f o r m a t io n . "A w ir e le s s d e v ic e g o e s th r o u g h a d is c o v e r y p ro c e s s in w h ic h i t a tt e m p ts t o c o n n e c t t o a n a v a ila b le w ir e le s s n e t w o r k . T h is m a y e it h e r b e 'p a s s iv e ' ־ lis te n in g f o r n e t w o r k s w h ic h a re b ro a d c a s tin g th e m s e lv e s - o r 'a c tiv e ' - s e n d in g o u t p r o b e r e q u e s t p a c k e ts in s e a rc h o f a n e t w o r k t o c o n n e c t to , " sa id S o p h o s b lo g g e r J u lia n B h a rd w a j. " I t 's v e r y lik e ly t h a t y o u r s m a r t p h o n e is b r o a d c a s tin g t h e n a m e s (SSID s) o f y o u r fa v o r ite n e t w o r k s f o r a n y o n e t o s e e ."
I t m e a n s t h a t a w o u ld - b e c r im in a l c a n f in d o u t a lo t a b o u t a p e r s o n 's d a ily m o v e m e n ts - w h ic h c o ffe e
h ttp://w w w .infose cu rity -m a gazine .co m
s h o p s t h e y v is it, w h a t t h e i r h o m e n e t w o r k is c a lle d , w h ic h b o o k s to r e s a re f r e q u e n t e d , a n d s o o n .
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction Is S trictly P rohibited.
S e c u r i t y N e w s
i^purs ^
S m a r t p h o n e W i - F i S e a r c h e s O f f e r M a s s i v e N e w D a t a L e a k a g e V e c t o r
S ource: h ttp ://w w w .in fo s e c u ritv -m a g a z in e .c o m
O u r m o b ile p h o n e s are u n w ittin g ly g iv in g a w a y th r e a t v e c to rs to w o u ld -b e hackers (and, fo r th a t m a tte r, physical c rim in a ls as w e ll), o ffe rin g c rim in a ls a n e w w a y to ta p in fo rm a tio n housed on s m a rtp h o n e s .
A c c o rd in g to re se a rch e rs a t Sophos, th e a b ility o f s m a rtp h o n e s to re ta in id e n tifie rs f o r th e tru s te d W i-F i n e tw o rk s th e y a tta c h to a u to m a tic a lly o ffe rs c rim in a ls a w in d o w in to d a ily h a b its - and e x p lo ita b le in fo rm a tio n .
"A w ire le s s d e vice goes th ro u g h a d is c o v e ry process in w h ic h it a tte m p ts to c o n n e c t to an a va ila b le w ire le s s n e tw o rk . This m ay e ith e r be 'p a s s iv e ' - lis te n in g fo r n e tw o rk s w h ic h are b ro a d c a s tin g th e m s e lv e s - o r 'a c tiv e ' - s e n d in g o u t p ro b e re q u e s t packets in search o f a n e tw o rk to c o n n e c t t o , " said S ophos b lo g g e r Julian B h a rd w a j. " It's v e ry lik e ly th a t y o u r s m a rtp h o n e is b ro a d c a s tin g th e nam es (SSIDs) o f y o u r fa v o rite n e tw o rk s fo r a n y o n e to see."
in to th e p e rs o n 's s m a rtp h o n e . S p e cifica lly, an a tta c k e r c o u ld set up a ro g u e W i-F i n e tw o rk w ith th e sam e SSID as th e one th e user is try in g to c o n n e c t to , w ith th e aim o f fo rc in g th e p h o n e to c o n n e c t and tra n s fe r da ta th ro u g h it.
"So w h ile s o m e o n e k n o w in g th a t y o u r p h o n e is try in g to c o n n e c t to ׳ B TH om eH ub-X Y Z׳ is n 't im m e d ia te ly c o n d e m n in g , it m ay a llo w f o r th e m to launch a ׳ m a n -in -th e -m id d le ' a tta c k a g a in st y o u , in te rc e p tin g da ta s e n t b e tw e e n you and a frie n d , g iv in g th e im p re s s io n y o u 're ta lk in g d ire c tly t o each o th e r o v e r a p riv a te c o n n e c tio n , w h e n in fa c t th e e n tire c o n v e rs a tio n is c o n tro lle d by th e a tta c k e r," e xp la in e d B h a rd w a j. "A n ׳e vil t w in ' a tta c k c o u ld even a c c o m p lish th is w ith o u t n e e d in g any k n o w le d g e o f y o u r W i-F i p a ssw o rd - v e ry d a m a g in g f o r all o f th o s e w h o use m o b ile b a n k in g fo r in s ta n c e ."
A ll o f th a t da ta d a rtin g across a irw a v e s in an u n e n c ry p te d fa s h io n c le a rly o ffe rs a p o te n tia lly huge s e c u rity h o le f o r an e n te rp ris in g c y b e rc rim in a l. In an e ffo r t to fin d o u t h o w real th e d a n g e r is, B h a rd w a j la u n ch e d an e x p e rim e n t a t a re c e n t u n iv e rs ity o p e n day in W a rw ic k , UK.
He ran a s e c u rity d e m o in w h ic h he c o lle c te d d a ta fro m p e o p le w a lk in g by, d is p la y in g it fo r th e m to see. In ju s t fiv e h o u rs, 246 w ire le s s d e vice s cam e in to range. A lm o s t h a lf - 4 9 % - o f th e s e devices w e re a c tiv e ly p ro b in g f o r th e ir p re fe rre d n e tw o rk s to c o n n e c t to , re s u ltin g in 365 n e tw o r k n a m e s b e in g b ro a d c a s t. O f th o s e , 25% w e re c u s to m iz e d , n o n -s ta n d a rd n e tw o rk nam es. H o w e v e r, 7% o f th e nam es re ve a le d lo c a tio n in fo rm a tio n , in c lu d in g th re e w h e re th e n e tw o rk n am e w as a c tu a lly th e fir s t line o f an address.
״ W h a t m akes th is even m o re w o rry in g w as h o w easily I w as a ble to c a p tu re th is se n sitive in fo r m a tio n ," he e x p la in e d . ״ A tin y w ire le s s ro u te r I p u rc h a s e d fro m eBay fo r $ 2 3 .9 5 and som e fre e ly a va ila b le s o ftw a re I fo u n d on G oogle w as all I ne e d e d . I d id n 't even need to u n d e rs ta n d a n y th in g a b o u t th e 802.1 p ro to c o ls th a t g o v e rn W i-F i to c a rry o u t th is a tta c k ."
C o upled w ith a p o rta b le p o w e r so u rce , a d e vice c o u ld easily be h id d e n in a p la n t p o t, garbage can, p a rk bench and so on to lu re W i-F i devices t o a tta c h to it.
M o b ile p h o n e users can p ro te c t th e m s e lv e s s o m e w h a t by te llin g y o u r p h o n e s to ׳fo r g e t' n e tw o rk s yo u no lo n g e r use to m in im iz e th e a m o u n t o f da ta leakage, he said. But, ׳׳t he u n fo rtu n a te new s is th e re d o e s n 't a p p e a r to be an easy w a y to d isa b le a c tive w ire le s s scanning on s m a rtp h o n e s like A n d ro id s and iP h o n e s," he n o te d , o th e r th a n s h u ttin g W i-F i access c o m p le te ly o f f o r d is a b lin g lo c a tio n -a w a re s m a rtp h o n e apps.
Copyright © 2012
h ttp://w w w .infosecu ritv-m agazir1e .com /view /28616/sm artp h or1e-w ifi-searches-offer-rr1assive-new -data-leakage-vector/
M o d u l e O b j e c t i v e s C E H
J W h a t Is S p e c tru m A nalysis? H o w to Reveal H id d e n SSIDs J Crack W i-F i E n c ry p tio n J W ire le s s H acking Tools
B lu e to o th H acking H o w to BlueJack a V ic tim
H o w to D efe nd A g a in s t W ire le s s A tta cks J W ire le s s S e c u rity Tools
J W ire le s s P e n e tra tio n Te sting J Types o f W ire le s s N e tw o rk s
J W ire le s s T e rm in o lo g ie s J Types o f W ire le s s E n c ry p tio n J H o w to B reak W EP E n c ry p tio n J W ire le s s T h re a ts J F o o tp r in t th e W ire le s s N e tw o rk J GPS M a p p in g J H o w to D iscover W i-F i N e tw o rk U sing W a rd riv in g
J W ire le s s T ra ffic A nalysis
M o d u l e O b j e c t i v e s
1 = W ire le s s n e tw o rk s are in e x p e n s iv e w h e n c o m p a re d to w ire d n e tw o rk s . But, th e y a re m o re v u ln e ra b le to a tta cks w h e n c o m p a re d w ith th e w ire d n e tw o rk s . An a tta c k e r can easily c o m p ro m is e th e w ire le s s n e tw o rk , if p ro p e r s e c u rity m e a su re s are n o t a p p lie d o r if th e n e tw o rk is n o t c o n fig u re d a p p ro p ria te ly . E m p lo y in g a high s e c u rity m e c h a n ism m a y be exp e n sive . H ence, it is a d visa b le to d e te rm in e c ritic a l sources, risks, o r v u ln e ra b ilitie s associated w ith it and th e n ch e ck w h e th e r th e c u rre n t s e c u rity m e c h a n ism is a ble to p ro te c t yo u a g a in st all possible a tta cks. If n o t, th e n u p g ra d e th e s e c u rity m e ch a n ism s. But, yo u s h o u ld e n su re th a t yo u leave no o th e r d o o rw a y f o r a tta c k e rs to reach and c o m p ro m is e th e c ritic a l resources o f y o u r business. This m o d u le assists yo u in id e n tify in g th e c ritic a l sources o f y o u r business and h o w to p ro te c t th e m .
© Types o f W ire le ss E n c ry p tio n © Crack W i-F i E n c ry p tio n © H o w to Break WEP E n c ry p tio n © W ire le s s H acking Tools
© W ire le ss T h re a ts © B lu e to o th H acking
© F o o tp rin t th e W ire le s s N e tw o rk © H o w to BlueJack a V ic tim
© GPS M a p p in g © H o w to D efe n d A g a in s t W ire le s s A tta c k s © H o w to D isco ve r W i-F i N e tw o rk © W ire le s s S e c u rity Tools
©
Using W a rd riv in g W ire le s s T ra ffic A nalysis
M o d u l e F l o w C E H
M o d u l e F l o w
Y
A w ire le s s n e tw o rk is a re la xe d d a ta c o m m u n ic a tio n s y s te m th a t uses ra d io fre q u e n c y te c h n o lo g y w ith w ire le s s m e d ia to c o m m u n ic a te and o b ta in d a ta th ro u g h th e a ir, w h ic h fre e s th e user fro m c o m p lic a te d and m u ltip le w ire d c o n n e c tio n s . T hey use e le c tro m a g n e tic w aves to in te rc o n n e c t d a ta an in d iv id u a l p o in t to a n o th e r w ith o u t re ly in g on any b o d ily c o n s tru c tio n . To u n d e rs ta n d th e c o n c e p t o f ha ckin g w ire le s s n e tw o rk s , le t us b egin w ith w ire le s s co n ce p ts. This s e c tio n p ro v id e s in s ig h t in to w ire le s s n e tw o rk s , ty p e s o f w ire le s s n e tw o rk s , w ire le s s s ta n d a rd s , a u th e n tic a tio n m odes and process, w ire le s s te rm in o lo g y , and ty p e s o f w ire le s s a n te n n a .W ire le s s C o n ce p ts * W ire le s s E n c ry p tio n
W ire le s s T h re a ts
&
| | | | | | W ire le s s H a ckin g M e th o d o lo g y W ire le s s H a ckin g T o o ls ^ 1 B lu e to o th H a ckin gW i r e l e s s N e t w o r k s * י • • C E H י י • * י • * י • * • * Certified IUkjI Hwfca 0 0 J W i-Fi refers to w ireless local area n e tw o rk s (W LAN) based on IEEE 802.11 stan dard
J It is a w id e ly used te c h n o lo g y fo r w ireless co m m u n ica tio n across a ra d io channel J Devices such as a personal co m pute r, vid e o -g a m e console, s m a rtp h o n e , etc. use W i-Fi to
co n n e ct to a n e tw o rk resource such as th e In te rn e t via a w ire le ss n e tw o rk access p o in t
» S e cu rity is a big issue and m ay n o t m e e t e x p e c ta tio n s
« As th e n u m b e r o f c o m p u te rs o n th e n e tw o rk increases, th e b a n d w id th su ffe rs
« W iFi e n h a n ce m e n ts can re q u ire n e w w ire le s s cards a n d /o r access p o in ts
« Som e e le c tro n ic e q u ip m e n t can in te rfe re w ith th e W i-Fi n e tw o rk s
« In sta lla tio n is fa st and easy and e lim in a te s w irin g th ro u g h w a lls and ce iling s « It is easier to p ro v id e c o n n e c tiv ity in areas
w h e re it is d iffic u lt to lay cable e Access to th e n e tw o rk can be fro m
a n yw h e re w ith in range o f an access p o in t © P u b lic places like a irp o rts , lib ra rie s, schools
o r even c o ffe e shops o ffe r you c o n sta n t In te rn e t co n n e c tio n s using W ireless LAN
A d v a n t a g e s
Copyright © by IG-COUIICil. All Rights Reserved. Reproduction is S trictly P rohibited.
W i r e l e s s N e t w o r k s
A w ire le s s n e tw o rk re fe rs to a c o m p u te r n e tw o r k th a t is n o t c o n n e c te d by any kin d o f cables. In w ire le s s n e tw o rk s , th e tra n s m is s io n is m ade p o ssib le th ro u g h th e ra d io w a ve tra n s m is s io n syste m . This u s u a lly ta ke s place a t th e physical la ye r o f th e n e tw o rk s tru c tu re . F u n d a m e n ta l changes to th e da ta n e tw o rk in g and te le c o m m u n ic a tio n are ta k in g place w ith th e w ire le s s c o m m u n ic a tio n re v o lu tio n . W i-F i is d e v e lo p e d on IEEE 8 0 2 .1 1 sta n d a rd s , and it is w id e ly used in w ire le s s c o m m u n ic a tio n . It p ro v id e s w ire le s s access to a p p lic a tio n s and data across a ra d io n e tw o rk . W i-Fi sets up n u m e ro u s w ays to b u ild up a c o n n e c tio n b e tw e e n th e tr a n s m itte r and th e re c e iv e r such as D ire c t-s e q u e n c e Spread S p e c tru m (DSSS), F re q u e n cy- h o p p in g Spread S p e ctru m (FHSS), In fra re d (IR), and O rth o g o n a l F re q u e n c y -d iv is io n M u ltip le x in g (O FD M ).
A d v a n ta g e s :
9 In s ta lla tio n is fa s t and easy and e lim in a te s w irin g th ro u g h w a lls and ceilings. 9 It is easier to p ro v id e c o n n e c tiv ity in areas w h e re it is d iffic u lt to lay cable. 9 Access to th e n e tw o rk can be fro m a n y w h e re w ith in range o f an access p o in t.
In te rn e t c o n n e c tio n using a w ire le s s LAN. D is a d v a n ta g e s :
9 S e c u rity is a big issue and m ay n o t m e e t e x p e c ta tio n s .
9 As th e n u m b e r o f c o m p u te rs on th e n e tw o rk increases, th e b a n d w id th s u ffe rs .
9 W i-F i s ta n d a rd s change d w h ic h re s u lts in re p la c in g w ire le s s cards a n d /o r access p o in ts . 9 Som e e le c tro n ic e q u ip m e n t can in te rfe re w ith th e W i-F i n e tw o rk s .
2 0 1 0 v s . 2 0 1 1 W i - F i D e v i c e T y p e C o m p a r i s o n
L _ J S ource: h ttp ://w w w .m e r a k i.c o m
M e ra k i, th e c lo u d n e tw o rk in g c o m p a n y , a n n o u n c e d s ta tis tic s s h o w in g th e W i-F i d e vice ty p e c o m p a ris o n . The g ra p h c le a rly sh o w s th a t th e iPads used s ig n ific a n tly m o re W i-F i d a ta th a n th e average m o b ile device.
13% 16% 3 2 % 1 1 % 6 % 7 % | g
II
MII
1 1% 4 %II
W in d o w s W in d o w s 7 Mac OS X XP /V is ta O ther A pp le iPod A pple iPad A pp le iP h on e A n d ro id f ר 2 0 1ו ו I I I 4 % 7 %
I I
0% 1% 0 1 o h t t p : / / w w w . m e r a k i . c o m A p p le O th e r W in d o w s W in d o w s 7 M ac OS X iP o d x p /V is ta A n d ro id A p p le A p p le iP h o n e iPadFIG U R E 15.2: W i-F i D e vice T y p e C o m p a ris o n in th e y e a r 2 0 1 0 S u m m a ry :
9 B e tw e e n 2010 and 2011, m o b ile p la tfo rm s o v e rto o k d e s k to p p la tfo rm s in p e rc e n ta g e o f W i-F i devices.
C E H W i - F i N e t w o r k s a t H o m e a n d
P u b l i c P l a c e s
J You can fin d fr e e /p a id W i-F i access a va ila b le in c o ffe e sho ps, s h o p p in g m a lls, b o o k s to re s , o ffic e s , a ir p o r t te rm in a ls , sc h o o ls , h o te ls, an d o th e r p u b lic places J W i-F i n e tw o rk s a t h o m e a llo w y o u to be
w h e re v e r y o u w a n t w ith y o u r la p to p , iPad, o r h a n d h e ld d e vice , and n o t have to m ake h o le s fo r h id e E th e r n e t ca b le s
W i- F i a t P u b lic P l a c e s
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
W i - F i N e t w o r k s a t H o m e a n d P u b l i c P l a c e s
A t H o m e
W i-F i n e tw o rk s a t h o m e a llo w yo u t o be w h e re v e r yo u w a n t w ith la p to p , iPad, o r h a n d h e ld d e vice , and yo u d o n 't need to m ake holes to h ide E th e rn e t cables. If yo u have a w ire le s s c o n n e c tio n in y o u r h o m e , yo u can c o n n e c t any n u m b e r o f devices th a t have W i-Fi c a p a b ilitie s to y o u r c o m p u te r. The devices w ith W i-F i c a p a b ility in c lu d e W i-F i-c a p a b le p rin te rs and radios.
P u b l i c P l a c e s
T h o u g h th e s e W i-F i n e tw o rk s are c o n v e n ie n t w ays to c o n n e c t to th e In te rn e t, th e y are n o t se cu re , because, a n y o n e , i.e., be it a g e n u in e user o r an a tta c k e r, can c o n n e c t to such n e tw o rk s o r h o ts p o ts . W h e n yo u are using a p u b lic W i-F i n e tw o rk , it is b est to send in fo rm a tio n o n ly to e n c ry p te d w e b s ite s . You can easily d e te rm in e w h e th e r a w e b s ite is e n c ry p te d o r n o t by lo o k in g a t th e URL. If th e URL begins w ith " h ttp s ," th e n it is an e n c ry p te d w e b s ite . If th e n e tw o rk asks yo u fo r W PA p a ssw o rd to c o n n e c t to th e p u b lic W i-F i n e tw o rk , th e n yo u can c o n s id e r th a t h o ts p o t a secure one.
Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
T y p e s o f W i r e l e s s N e t w o r k s
The fo llo w in g are th e fo u r ty p e s o f w ire le s s n e tw o rk s : E x t e n s i o n t o a W i r e d N e t w o r k
n e tw o rk and th e w ire le s s devices. The access p o in ts are basica lly tw o ty p e s : 9 S o ftw a re access p o in ts
9 H a rd w a re access p o in ts
A w ire le s s n e tw o rk can also be e s ta b lis h e d by using an access p o in t, o r a base s ta tio n . W ith th is ty p e o f n e tw o rk , th e access p o in t acts like a h u b , p ro v id in g c o n n e c tiv ity f o r th e w ire le s s c o m p u te rs on its system . It can c o n n e c t a w ire le s s LAN t o a w ire d LAN, w h ic h a llo w s w ire le s s c o m p u te r access to LAN re so u rce s, such as file servers o r e x is tin g In te rn e t c o n n e c tio n s .
To s u m m a riz e :
9 S o ftw a re Access P o in ts (SAPs) can be c o n n e c te d to th e w ire d n e tw o rk , and ru n on a c o m p u te r e q u ip p e d w ith a w ire le s s n e tw o rk in te rfa c e card.
C E H
Urtifwtf ithiu! Ikcka
T y p e s o f W i r e l e s s N e t w o r k s
1 1 B
3G/4G H otsp ot LAN-to-LAN W ireless N e tw o rk
M u ltip le Access Points Extension to a W ired N e tw o rk
9 H a rd w a re Access P o in ts (HAPs) p ro v id e c o m p re h e n s iv e s u p p o rt to m o s t w ire le s s fe a tu re s . W ith s u ita b le n e tw o rk in g s o ftw a re s u p p o rt, users on th e w ire le s s LAN can share file s and p rin te rs s itu a te d on th e w ire d LAN and vice versa.
Internet
FIG U R E 15.3: E x te n s io n t o a W ir e d N e tw o r k
M u l t i p l e A c c e s s P o i n t s
This ty p e o f n e tw o rk consists o f w ire le s s c o m p u te rs c o n n e c te d w ire le s s ly by using m u ltip le access p o in ts . If a single large area c a n n o t be c o ve re d by a single access p o in t, m u ltip le access p o in ts o r e x te n s io n p o in ts can be e s ta b lis h e d . A lth o u g h e x te n s io n p o in t c a p a b ility has been d e v e lo p e d by som e m a n u fa c tu re rs , it is n o t d e fin e d in th e w ire le s s s ta n d a rd .
W h e n using m u ltip le access p o in ts , each access p o in t w ire le s s area needs to o v e rla p its n e ig h b o r's area. This p ro v id e s users th e a b ility to m o ve a ro u n d seam less using a fe a tu re called ro a m in g . Som e m a n u fa c tu re rs d e v e lo p e x te n s io n p o in ts th a t a ct as w ire le s s relays, e x te n d in g th e range o f a s in g le access p o in t. M u ltip le e x te n s io n p o in ts can be s tru n g to g e th e r to p ro v id e w ire le s s access to lo c a tio n s fa r fro m th e c e n tra l access p o in t.
In te rn e t
FIG U R E 15.4: M u lt ip le A ccess P o in ts
* r L A N t o L A N W i r e l e s s N e t w o r k
Access p o in ts p ro v id e w ire le s s c o n n e c tiv ity to lo ca l c o m p u te rs , and local c o m p u te rs on d iffe r e n t n e tw o rk s can be in te rc o n n e c te d . A ll h a rd w a re access p o in ts have th e c a p a b ility o f b e in g in te rc o n n e c te d w ith o th e r h a rd w a re access p o in ts . H o w e v e r, in te rc o n n e c tin g LANs o v e r w ire le s s c o n n e c tio n s is a m o n u m e n ta l and c o m p le x task.
3 G H o t s p o t
A 3G h o ts p o t is a ty p e o f w ire le s s n e tw o rk th a t p ro v id e s W i-F i access to W i-F i- e n a b le d d e vices in c lu d in g M P3 players, n o te b o o k s , cam eras, PDAs, n e tb o o k s , and m o re .
Internet
3G Connection
A
Cell Tower
S t a n d a r d A m e n d m e n t s F r e q . ( G H z ) M o d u l a t i o n S p e e d ( M b p s ) R a n g e ( f t ) 8 0 2 .1 1 a 5 OFDM 54 2 5 - 7 5 8 0 2 .1 1 b 2.4 DSSS 11 150 - 1 5 0 8 0 2 .l l g 2.4 OFDM, DSSS 54 150 - 1 5 0
8 0 2 .H i Defines W PA2-Enterprise/W PA2-Personal fo r Wi-Fi
8 0 2 .l l n 2.4, 5 OFDM 54 -1 0 0
8 0 2 .1 6
(W iM A X ) 1 0 - 6 6 70 - 1 0 0 0 30 m iles
B lu e to o th 2.4 1 - 3 25
C o pyrig ht © by E & C a u ic il. A ll Rights Reserved. R eproduction is S trictly Prohibited.
W i r e l e s s S t a n d a r d s
IEEE S ta n d a rd 8 0 2 .1 1 has e v o lv e d fr o m an e x te n s io n te c h n o lo g y f o r w ire d LAN in to m o re c o m p le x and ca p a b le te c h n o lo g y .
W h e n it fir s t cam e o u t in 1997, th e w ire le s s lo ca l are a n e tw o r k (W L A N ) s ta n d a rd sp e cifie d o p e ra tio n a t 1 and 2 M b /s in th e in fra re d , as w e ll as in th e lic e n s e -e x e m p t 2.4-G Hz In d u s tria l, S c ie n tific , and M e d ic a l (ISM ) fre q u e n c y b a nd. An 8 0 2 .1 1 n e tw o r k in th e e a rly days used to have fe w PCs w ith w ire le s s c a p a b ility c o n n e c te d to an E th e rn e t (IEEE 8 0 2 .3 ) LAN th ro u g h a single n e tw o rk access p o in t. 8 0 2 .1 1 n e tw o rk s n o w o p e ra te a t h ig h e r spe e d s and in a d d itio n a l bands. W ith its g ro w th , n e w issues have risen such as s e c u rity , ro a m in g a m o n g m u ltip le access p o in ts , and even q u a lity o f service. These issues are d e a lt w ith by e x te n s io n s to th e s ta n d a rd id e n tifie d by le tte rs o f th e a lp h a b e t d e riv e d fro m th e 8 0 2 .1 1 ta s k g ro u p s th a t c re a te d th e m .
Q The 8 0 2 .1 1 a e x te n s io n d e fin e s re q u ire m e n ts fo r a physical la y e r (w h ic h d e te rm in e s , a m o n g o th e r p a ra m e te rs , th e fre q u e n c y o f th e signal and th e m o d u la tio n schem e to be used) o p e ra tin g in th e U n lice n se d N a tio n a l In fo rm a tio n In fra s tru c tu re (UNII) b a nd, a t 5 GHz, a t d a ta ra te s ra n g in g fr o m 6 M b /s to 54 M b /s . The la ye r uses a schem e called o rth o g o n a l fre q u e n c y -d iv is io n m o d u la tio n (O FD M ), w h ic h tra n s m its da ta on m u ltip le s u b c a rrie rs w ith in th e c o m m u n ic a tio n s ch a n n e l. It is in m a n y w ays s im ila r to th e physical
la y e r s p e c ific a tio n fo r H ip e rL A N II, th e E uropea n w ire le s s s ta n d a rd p ro m u lg a te d by th e E uropea n T e le c o m m u n ic a tio n s S tandard s In s titu te .
9 C o m m e rc ia lly tra d e m a rk e d in 1999 by th e W ire le s s E th e rn e t C o m p a tib ility A llia n c e (WECA) as W i-F i, th is e x te n s io n m a d e 8 0 2 .1 1 b a h o u s e h o ld w o rd . It d e fin e s o p e ra tio n in th e ISM 2.4GHZ band at 5.5 M b /s and 11 M b /s (as w e ll as th e fa llb a c k ra te s o f 1 M b /s and 2 M b /s ). This physical la y e r uses th e m o d u la tio n schem es c o m p le m e n ta ry code ke yin g (CCK) and p a c k e t b in a ry c o n v o lu tio n a l c o d in g (PBCC). WECA is an in d u s try o rg a n iz a tio n c re a te d to c e rtify in te r o p e r a b ility a m o n g 8 0 2 .1 1 b p ro d u c ts fro m dive rse m a n u fa c tu re rs .
9 This ta s k g ro u p 's w o rk on w ire le s s LAN b rid g in g has been fo ld e d in to th e 8 0 2.11 s ta n d a rd .
9 This ta s k g ro u p en h a n ce s th e 8 0 2 .1 1 s p e c ific a tio n s by s p e llin g o u t its o p e ra tio n in n e w re g u la to ry d o m a in s , such as c o u n trie s in th e d e v e lo p in g w o rld . In its in itia l fo rm , th e s ta n d a rd c o ve re d o p e ra tio n o n ly in N o rth A m e ric a , E urope, and Japan.
9 8 0 2 .1 1 are used fo r re a l-tim e a p p lic a tio n s such as v o ic e and v id e o . To e n su re th a t th e se tim e -s e n s itiv e a p p lic a tio n s have th e n e tw o rk re so u rce s w h e n th e y need th e m , it is w o rk in g on e xtra m e ch a n ism s to e n s u re q u a lity o f service to Layer 2 o f th e re fe re n c e m o d e l, th e m e d iu m -a cce ss la ye r, o r MAC.
9 8 0 2 .1 1 s ta n d a rd s have d e v e lo p e d fr o m th e sm all e x te n s io n p o in ts o f w ire d LANs in to m u ltip le access p o in ts . These access p o in ts m u s t c o m m u n ic a te w ith o n e a n o th e r to a llo w users to ro a m a m o n g th e m . This ta s k g ro u p is w o rk in g on e x te n s io n s th a t e n a b le c o m m u n ic a tio n b e tw e e n access p o in ts fro m d iffe r e n t v e n d o rs .
9 This ta s k g ro u p is w o rk in g on h ig h -sp e e d e x te n s io n s to 8 0 2 .1 1 b . The c u rre n t d r a ft o f 8 0 2 .l l g c o n ta in s PSCC and CCK OFDM a lo n g w ith o ld OFDM as m o d u la tio n schem es. D e v e lo p m e n t o f th is e x te n s io n w as m a rk e d by a g re a t deal o f c o n te n tio n in 2 0 0 0 and 2001 o v e r m o d u la tio n schem es. A b re a k th ro u g h o c c u rre d in N o v e m b e r 2 0 01, and th e ta s k g ro u p w o rk e d to fin a liz e its d r a ft d u rin g 2002.
9 This ta sk g ro u p is w o rk in g on m o d ific a tio n s to th e 8 0 2 .1 1 a physical la y e r to e n su re th a t 80 2 .1 1 a m ay be used in E urope. The ta sk g ro u p is a d d in g d y n a m ic fre q u e n c y s e le c tio n and p o w e r c o n tro l tra n s m is s io n , w h ic h are re q u ire d to m e e t re g u la tio n s in E urope. The o rig in a l v e rs io n o f 8 0 2 .1 1 in c o rp o ra te d a M A C -le ve l p riv a c y m e c h a n is m called W ire d E q u iv a le n t Privacy (WEP), w h ic h has p ro v e n in a d e q u a te in m a n y s itu a tio n s . This ta s k g ro u p is busy w ith im p ro v e d s e c u rity m e ch a n ism s. The p re s e n t d r a ft in c lu d e s T e m p o ra l Key In te g rity P ro to c o l (TKIP) as an im p ro v e m e n t o v e r WEP. 8 02.11 a re p re s e n ts th e th ir d g e n e ra tio n o f w ire le s s n e tw o rk in g s ta n d a rd s and te c h n o lo g y .
9 8 0 2 .H i s ta n d a rd im p ro v e s W LAN s e c u rity . The e n c ry p te d tra n s m is s io n o f d a ta b e tw e e n 8 0 2 .1 1 a and 8 0 2 .1 1 b W LANS is b est d e s c rib e d by 8 0 2 .l l i . A n e w e n c ry p tio n key
p ro to c o l such as T e m p o ra l Key In te g rity P ro to c o l (TKIP) and th e A d va n ce d E n c ry p tio n S ta n d a rd (AES) is d e fin e d by 8 0 2 .l l i . TKIP is a p a rt o f s ta n d a rd s fro m IEEE. It is an
9 8 0 2 .l l n is a re v is io n w h ic h e n h a n ce d th e e a rlie r 8 0 2 .1 1 s ta n d a rd s w ith m u ltip le - in p u t m u ltip le - o u tp u t (M IM O ) a n te n n a s. It w o rk s alike w ith 2.4 GHz and th e m in o r used 5 GHz bands. This is an IEEE in d u s try s ta n d a rd fo r W i-F i w ire le s s local n e tw o rk tra n s p o rta tio n s . O FD M is used in D ig ita l A u d io B ro a d ca stin g (DAB) and in W ire le s s LAN.
9 8 0 2 . 1 6 a / d / / e / m (W iM A X ) is a w ire le s s c o m m u n ic a tio n s s ta n d a rd d esgine d to p ro v id e 30 to 40 m bps rates. The o rig in a l v e rs io n o f th e s ta n d a rd on w h ic h W iM A X is based (IEEE 8 0 2 .1 6 ) sp e c ifie d a physical la y e r o p e ra tin g in th e 10 to 66 GHz range. 8 0 2 .1 6 a , u p d a te d in 2004 to 8 0 2 .1 6 -2 0 0 4 , a d d e d s p e c ific a tio n s fo r th e 2 to 11 GHz range. 8 0 2 .1 6 -2 0 0 4 w as u p d a te d by 8 0 2 .1 6 e -2 0 0 5 in 2005 and uses scalable o rth o g o n a l fre q u e n c y -d iv is io n m u ltip le access (O rth o g o n a l fre q u e n c y -d iv is io n m u ltip le x in g (O FD M ) is a m e th o d o f e n c o d in g d ig ita l da ta on m u ltip le c a rrie r fre q u e n c ie s .
9 B lu e to o th is a w ire le s s p ro to c o l m o s tly in te n d e d to be used by th e s h o rte r-ra n g e s o lic ita tio n s
S t a n d a r d s F r e q . ( G H z ) M o d u l a t i o n S p e e d ( M b p s ) R a n g e ( f t ) 8 0 2 .1 1 a 5 O F D M 54 2 5 - 7 5 8 0 2 .1 1 b 2.4 DSSS 11 1 5 0 - 1 5 0 8 0 2 .l l g 2.4 O F D M , DSSS 54 150 - 1 5 0
8 0 2 .H i Provides W PA2 e n cry p tio n for 802.11a, 802.11b and 8 0 2 .l l g
networks
8 0 2 .l l n 2 .4 - 2 .5 O F D M 54 ~100
8 0 2 .1 6 a / d / / e /
m ( W iM A X ) 1 0 - 6 6 70 - 1 0 0 0 30 m iles
B lu e t o o th 2.45 1 - 3 25
I t a c ts as a s in g le s h a r e d id e n t i f i e r b e t w e e n t h e a c c e s s p o in t s a n d c lie n ts A c c e s s p o in t s c o n t in u o u s ly b r o a d c a s ts S S ID . i f e n a b le d , f o r t h e c lie n t m a c h in e s t o id e n t i f y t h e p r e s e n c e o f w ir e le s s n e t w o r k SSID is a h u m a n - r e a d a b le t e x t s t r in g w i t h a m a x im u m le n g t h o f 3 2 b y te s I f t h e SSID o f t h e n e t w o r k is c h a n g e d , r e c o n f ig u r a t io n o f t h e SSID o n e v e r y h o s t is r e q u ir e d , a s e v e r y u s e r o f t h e n e t w o r k c o n fig u r e s t h e SSID in t o t h e i r s y s te m SSID is a t o k e n t o id e n t i f y a 802.11 ( W i- Fi) n e t w o r k : b y d e f a u lt i t is t h e p a r t o f t h e f r a m e h e a d e r s e n t o v e r a w ir e le s s lo c a l a re a n e t w o r k (W L A N ) T h e SSID r e m a in s s e c r e t o n ly o n t h e c lo s e d n e t w o r k s w i t h n o a c t i v it y , t h a t is in c o n v e n i e n t t o t h e le g i t i m a t e u s e rs S e cu r i t y c o n c e r n s a r is e w h e n t h e d e f a u lt v a lu e s a re n o t c h a n g e d , as th e s e u n it s c a n b e c o m p r o m is e d A n o n - s e c u r e a c c e s s m o d e a llo w s c lie n ts t o c o n n e c t t o t h e a c c e s s p o in t u s in g t h e c o n f ig u r e d SSID , a b la n k SSID, o r a n SSID c o n f ig u r e d a s " a n y "
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is S trictly Prohibited.
S e r v i c e S e t I d e n t i f i e r ( S S I D )
י£ The Service Set Id e n tifie r (SSID) is a u n iq u e id e n tifie r th a t is used to e s ta b lish and m a in ta in w ire le s s c o n n e c tiv ity . SSID is a to k e n to id e n tify a 8 0 2 .1 1 (W i-F i) n e tw o rk ; by d e fa u lt it is th e p a rt o f th e p a cke t h e a d e r s e n t o v e r a w ire le s s local area n e tw o rk (W LA N ). It a ct as a single shared p a ssw o rd b e tw e e n access p o in ts and c lie n ts . S e c u rity c o n c e rn s arise w h e n th e d e fa u lt values are n o t ch a n g e d , since th e s e u n its can th e n be easily c o m p ro m is e d . SSID access p o in ts b ro a d ca sts th e ra d io signals c o n tin u o u s ly re ce ive d by th e c lie n t m a ch in e s if e n a b le d . A n o n -s e c u re access m o d e s ta tio n c o m m u n ic a te s w ith access p o in ts by b ro a d c a s tin g c o n fig u re d SSID, a b la n k SSID, o r an SSID c o n fig u re d as "a n y ." Because SSID is th e u n iq u e n a m e given to W LAN , all devices and access p o in ts p re s e n t in W LAN m u s t use th e sam e SSID. It is necessary f o r any d e vice th a t w a n ts to jo in th e W LAN to give th e u n iq u e SSID. If th e SSID o f th e n e tw o rk is ch a n g e d , re c o n fig u ra tio n o f th e SSID on e v e ry n e tw o rk is re q u ire d , as e v e ry use r o f th e n e tw o rk c o n fig u re s th e SSID in to th e ir s yste m . U n fo rtu n a te ly , SSID does n o t p ro v id e s e c u rity to W LAN , since it can be s n iffe d in p la in te x t fro m packets.
The SSID can be up to 32 c h a ra c te rs long. Even if th e access p o in ts (APs) o f th e s e n e tw o rk s are v e ry close, th e packets o f th e tw o are n o t g o in g to in te rfe re . Thus, SSIDs can be c o n s id e re d a p a ssw o rd f o r an AP, b u t it can be s e n t in cle a r te x t and can be easily d is c o v e re d . In o th e r w o rd s , SSIDs can be calle d a shared s e c re t th a t e v e ry o n e kn o w s, and a n y o n e can d e te rm in e . The SSID re m a in s s e c re t o n ly on th e closed n e tw o rk s w ith no a c tiv ity , w h ic h is in c o n v e n ie n t to th e
le g itim a te users. A key m a n a g e m e n t p ro b le m is c re a te d f o r th e n e tw o rk a d m in is tra to r, as SSID is a s e c re t key in ste a d o f a p u b lic key. Som e c o m m o n SSIDs are:
0 c o m c o m c o m 9 D e fa u lt SSID 0 In te l 0 Linksys 9 W ire le ss e W LAN
Probe Request
v l/
Probe Response (Security Parameters)
SV ₪ ₪ l ^2 /
* j Open System A uth en tica tion Request Open System A uthentication Response
Association Request (Security Parameters) Association Response
Open System Authentication Process A uthentication request sent to AP
ends challenge text
Client encrypts challenge f U \ V
text and sends it back to AP AP decrypts challenge te xt, and if
correct, authenticates client
A ccess P o in t (A P ) Client connects to netw ork
Shared Key Authentication Process
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
W i - F i A u t h e n t i c a t i o n M o d e s
W i-F i a u th e n tic a tio n can be p e rfo rm e d in tw o m o d e s: 1. O pen system a u th e n tic a tio n
2. Shared key a u th e n tic a tio n
O p e n S y s t e m A u t h e n t i c a t i o n P r o c e s s
In th e o p e n system a u th e n tic a tio n process, any w ire le s s s ta tio n can send a re q u e s t fo r a u th e n tic a tio n . In th is process, one s ta tio n can send an a u th e n tic a tio n m a n a g e m e n t fra m e c o n ta in in g th e id e n tity o f th e s e n d in g s ta tio n , to g e t a u th e n tic a te d and c o n n e c te d w ith o th e r w ire le s s s ta tio n . The o th e r w ire le s s s ta tio n (AP) checks th e c lie n t's SSID and in response sends an a u th e n tic a tio n v e rific a tio n fra m e , if th e SSID m a tch e s. O nce th e v e rific a tio n fra m e reaches th e c lie n t, th e c lie n t c o n n e c ts to th e n e tw o rk o r in te n d e d w ire le s s s ta tio n .
P ro be R e q u e st . • v l / > P ro be R esponse (S e c u rity P a ra m e te rs)
־
3
׳ <
VS/־
i
W יי
2 O pe n S yste m A u th e n tic a tio n R e qu e st < ... /
3 •־\
^ OjDen S yste m A u th e n tic a tio n R esponse y
. . . _ . C o o » S w itc h o r Cable
A s s o c ia tio n R e qu e st (S e c u rity P a ra m e te rs )
י' Access P o in t (AP) M o d e m
C lie n t a tte m p tin g י״ " In te rn e t
t o c o n n e c t < Association Response o
FIGURE 1 5 .7 : O p e n S ys te m A u th e n tic a tio n m o d e
S h a r e d K e y A u t h e n t i c a t i o n P r o c e s s
In th is process each w ire le s s s ta tio n is assum ed to have re ce ive d a shared s e c re t key o v e r a secure ch a n n e l th a t is d is tin c t fro m th e 8 0 2 .1 1 w ire le s s n e tw o rk c o m m u n ic a tio n ch a n n e ls. The fo llo w in g steps illu s tra te h o w th e c o n n e c tio n is e sta b lis h e d in Shared Key A u th e n tic a tio n process:
9 The s ta tio n sends an a u th e n tic a tio n re q u e s t to th e access p o in t. 9 The access p o in t sends ch a lle n g e te x t to th e s ta tio n .
9 The s ta tio n e n c ry p ts th e ch a lle n g e te x t by m a k in g use o f its c o n fig u re d 6 4 -b it o r 1 2 8 -b it d e fa u lt key, and it sends th e e n c ry p te d te x t to th e access p o in t.
9 The access p o in t uses its c o n fig u re d WEP key (th a t c o rre s p o n d s t o th e d e fa u lt key o f s ta tio n ) t o d e c ry p t th e e n c ry p te d te x t. The access p o in t c o m p a re s th e d e c ry p te d te x t w ith th e o rig in a l ch a lle n g e te x t. If th e d e c ry p te d te x t m a tch e s th e o rig in a l ch a lle n g e te x t, th e access p o in t a u th e n tic a te s th e s ta tio n .
9 The s ta tio n c o n n e c ts to th e n e tw o rk .
The access p o in t can re je c t to a u th e n tic a te th e s ta tio n if th e d e c ry p te d te x t does n o t m a tc h th e o rig in a l ch a lle n g e te x t, th e n s ta tio n w ill be u n a b le to c o m m u n ic a te w ith e ith e r th e E th e rn e t n e tw o rk o r 8 0 2 .1 1 n e tw o rk s .
A u th e n tic a tio n re q u e s t se nt to AP AP sends ch allen g e te x t C lie n t e n c ry p ts ch allen g e te x t and sends it back to AP ... /
3 ־־■\
AP d e c ry p ts c h a lle n g e te x t, and i f
~ co rre c t, a u th e n tic a te s c lie n t < ...
Access P o in t (AP) i w l l c r l o r 1 6 ־®0י
... . _ . _ . M o d e m
C lie n t a tte m p tin g > l n t e rn e t
to connect
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
W i - F i A u t h e n t i c a t i o n P r o c e s s U s i n g a C e n t r a l i z e d A u t h e n t i c a t i o n S e r v e r
The 8 0 2 .l x p ro v id e s c e n tra liz e d a u th e n tic a tio n . For 8 0 2 .l x a u th e n tic a tio n to w o rk on a w ire le s s n e tw o rk , th e AP m u s t be a ble to se c u re ly id e n tify tr a ffic fro m a p a rtic u la r w ire le s s c lie n t. The id e n tific a tio n is a c c o m p lis h e d by using a u th e n tic a tio n keys th a t are se n t to th e AP and th e w ire le s s c lie n t fro m th e R e m o te A u th e n tic a tio n Dial in U ser S ervice (RADIUS) s e rv e r. W h e n a w ire le s s c lie n t com es w ith in range o f th e AP, th e fo llo w in g process occurs:
1. C lie n t sends an a u th e n tic a tio n re q u e s t to th e AP fo r e s ta b lis h in g th e c o n n e c tio n . 2. The (AP sends EAP-Request fo r th e id e n tific a tio n o f c lie n t.
3. The w ire le s s c lie n t re sp o n d s w ith its EAP-R esponse id e n tity .
4. The AP fo rw a rd s th e id e n tity to th e RADIUS s e rv e r using th e u n c o n tro lle d p o rt. The RADIUS s e rv e r sends a re q u e s t to th e w ire le s s s ta tio n via th e AP, s p e c ify in g th e a u th e n tic a tio n m e c h a n ism to be used.
6. The w ire le s s s ta tio n re sp o n d s to th e RADIUS s e rv e r w ith its c re d e n tia ls via th e AP.
7. If th e c re d e n tia ls are a c c e p ta b le , th e RADIUS s e rv e r sends an e n c ry p te d a u th e n tic a tio n key to th e AP.
8. The AP g e n e ra te s a m u ltic a s t/g lo b a l a u th e n tic a tio n key e n c ry p te d w ith a p e r-s ta tio n u n ic a s t session key, and tra n s m its it to th e w ire le s s s ta tio n .
ISM band A s e t o f fr e q u e n c y f o r th e in t e r n a t io n a l I n d u s tr ia l, S c ie n tific , a n d M e d ic a l c o m m u n itie s Bandwidth D e s c rib e s t h e a m o u n t o f in f o r m a t io n t h a t m a y b e b ro a d c a s te d o v e r a c o n n e c tio n D i r e c t - s e q u e n c e S p r e a d S p e c t r u m ( D S S S ) O r ig in a l d a ta s ig n a l is m u lt ip lie d w it h a p s e u d o ra n d o m n o is e s p re a d in g c o d e F r e q u e n c y - h o p p i n g S p r e a d S p e c t r u m ( F H S S ) M e th o d o f tr a n s m ittin g r a d io s ig n a ls b y r a p id ly s w itc h in g a c a rrie r a m o n g m a n y fre q u e n c y c h a n n e ls O r t h o g o n a l F r e q u e n c y - d i v i s i o n M u l t i p l e x i n g ( O F D M ) M e t h o d o f e n c o d in g d ig ita l d a ta o n m u lt ip le c a r r ie r f r e q u e n c ie s GSM U n iv e rs a l s y s te m u s e d f o r m o b ile t r a n s p o r t a t io n f o r w ir e le s s n e t w o r k w o r ld w id e Association T h e p ro c e s s o f c o n n e c tin g a w ir e le s s d e v ic e t o a n access p o in t BSSID T h e M A C a d d re s s o f a n access p o in t t h a t h a s s e t u p a B asic S e rv ic e S e t (BSS) Hotspot P la ce s w h e r e w ir e le s s n e t w o r k is a v a ila b le f o r p u b lic u se Access Point U se d t o c o n n e c t w ir e le s s d e v ic e s t o a w ir e le s s n e t w o r k
fSm
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is S trictly Prohibited
ip W i r e l e s s T e r m i n o l o g i e s
W ire le s s T e rm s
D e s c rip tio n
GSM It is a u n iv e rs a l system used fo r m o b ile tra n s p o rta tio n f o r w ire le s s n e tw o rk w o rld w id e
A s s o c ia tio n The process o f c o n n e c tin g a w ire le s s d e vice to an access p o in t is called a sso cia tio n
BSSID The M AC address o f an access p o in t th a t has se t up a Basic S ervice Set (BSS)
H o ts p o t Place w h e re w ire le s s n e tw o rk is a va ila b le f o r p u b lic use
Access P o in t Used to c o n n e c t w ire le s s devices to a w ire le s s n e tw o rk
ISM b a n d A range o f ra d io fre q u e n c ie s th a t are assigned fo r use by u n lice n se d users
c o n n e c tio n
DSSS It is used to tr a n s m it da ta on a s ta b le range o f th e fre q u e n c y band
FHSS
Data is tra n s m itte d on ra d io c a rrie rs w h ic h h o p p s e u d o -ra n d o m ly th ro u g h m a n y d iffe r e n t fre q u e n c ie s a t a p re -d e te rm in e d ra te and h o p p in g sequen ce
O FD M M e th o d o f e n c o d in g d ig ita l d a ta on m u ltip le c a rrie r fre q u e n c ie s w ith m u ltip le o v e rla p p in g ra d io fre q u e n c y c a rrie rs
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction Is S trictly Prohibited.
W i - F i C h a l k i n g
T h e re are v a rio u s te c h n iq u e s to d e te c t o p e n w ire le s s n e tw o rk s . T hey are:
W a r W a l k i n g
To p e rfo rm W a rW a lk in g , a tta c k e rs w a lk a ro u n d w ith W i-F i e n a b le d la p to p s to d e te c t o p e n w ire le s s n e tw o rk s . In th is te c h n iq u e , th e a tta c k e r goes on fo o t to c o n d u c t th e W i-F i ch a lkin g . The d is a d v a n ta g e o f th is a p p ro a c h is th e absence o f a c o n v e n ie n t c o m p u tin g e n v iro n m e n t and s lo w e r speed o f tra v e l.
W a r F l y i n g
( 8 3 ) W a rF ly in g is an a c tiv ity in w h ic h a tta c k e rs fly a ro u n d w ith W i-F i e n a b le d la p to p s to d e te c t o p e n w ire le s s n e tw o rk s . This is also k n o w n as w a rs to rm in g . As m o s t o f th e p e o p le u s u a lly scan fo r th e n e tw o rk s to m ap o u t th e w ire le s s n e tw o rk s in th e area o r as an e x p e rim e n t, m o s t W a rF ly in g is harm less. Also, it is m o re d iffic u lt to access o p e n n e tw o rk s th ro u g h W a rF ly in g because o f th e n a tu re o f fly in g . W a r F ly in g In th is te c h n iq u e , a tta c ke rs fly a ro u n d w ith W i-F i e n a b le d la p to p s to d e te c t o p e n w ire le s s n e tw o rk s W a rD r iv in g A tta c k e rs d r iv e a ro u n d w ith W i-F i e n a b le d la p to p s to d e te c t o p e n w ire le s s n e tw o rk s W a r W a lk in g
A tta c k e rs w a lk a ro u n d w ith W i-F i e n a b le d la p to p s to d e te c t op e n w ire le s s n e tw o rk s
W a r C h a lk in g
A m e th o d used to d r a w s y m b o ls in p u b lic p lace s to a d v e rtis e op e n W i-F i n e tw o rk s
W a r D r i v i n g
A c c o rd in g to w w w .w o rd s p y .c o m , W a rD riv in g is a c o m p u te r cra ckin g te c h n iq u e th a t in vo lve s d riv in g th ro u g h a n e ig h b o rh o o d w ith a w ire le s s e n a b le d n o te b o o k c o m p u te r, m a p p in g houses and businesses th a t have w ire le s s access p o in ts .
W a r C h a l k i n g 1
. . This te rm com es fro m w h a c k e rs w h o use c h a lk to place a special sy m b o l on a s id e w a lk o r a n o th e r su rfa ce to in d ic a te a n e a rb y w ire le s s n e tw o rk th a t o ffe rs In te rn e t access. It is a m e th o d used to d ra w s y m b o ls in p u b lic places to a d v e rtis e o p e n W i-F i n e tw o rk s .
Copyright © by IG-GSUIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
W i ־ F i C h a l k i n g S y m b o l s
W i-F i ch a lk in g sym b o ls are in s p ire d by h o b o sym b o ls. M a tt Jones d esigne d th e set o f icons and p u b lic iz e d th e m . The fo llo w in g are th e v a rio u s W i-F i ch a lk in g sym b o ls:
X Free W i-Fi < ^ 6 W i-F i w ith M AC F ilte rin g < 5 6 R e s tric te d W i-Fi ) ^ י Pay f o r W i-Fi
W i-F i w it h WPA W i-F i w ith M u ltip le
Access C o n tro ls W i-F i w it h C losed SSID W i-F i H o n e y p o t
F I G U R E 1 5 . 1 0 : V a r i o u s W i - F i c h a l k i n g s y m b o l s
T y p e s o f W i r e l e s s A n t e n n a s
Copyright © by EG-G(HIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
Yagi is a un id irectio nal antenna com m only used in com m unications fo r a frequency band o f 10 MHz to VHF and UHF
D ip o le A n t e n n a
B idirectional antenna, used to support client connections ra ther than site-to- site applications
Unidirectional Antenna
P a r a b o lic G r id A n t e n n a
It is based on th e principle o f a satellite dish bu t it does no t have a solid backing. They can pick up Wi-Fi signals ten miles o r more.
Y a g i A n t e n n a D ir e c t io n a l A n t e n n a
Used to broadcast and obtain radio waves fro m a single direction
O m n id ir e c t io n a l A n t e n n a
O m nidirectional antennas provide a 360 degree horizontal radiation pattern. It is used in wireless base stations.
T y p e s o f W i r e l e s s A n t e n n a s
A n te n n a s are im p o r ta n t fo r se n d in g and re c e iv in g ra d io signals. T hey c o n v e rt e le c tric a l im p u lse s in to ra d io signals and vice versa. B asically th e re are fiv e ty p e s o f w ire le s s a n te n n a s :
D i r e c t i o n a l A n t e n n a
^ A d ire c tio n a l a n te n n a is used to b ro a d c a s t and o b ta in ra d io w aves fro m a single d ire c tio n . In o rd e r to im p ro v e th e tra n s m is s io n and re c e p tio n th e d ire c tio n a l a n te n n a is desig n e d t o w o rk e ffe c tiv e ly in a fe w d ire c tio n s w h e n c o m p a re d w ith th e o th e r d ire c tio n s . This also helps in re d u c in g in te rfe re n c e .
O m n i d i r e c t i o n a l A n t e n n a
O m n id ire c tio n a l a n te n n a s ra d ia te e le c tro m a g n e tic e n e rg y re g u la rly in all d ire c tio n s . T h e y u su a lly ra d ia te s tro n g w aves u n ifo rm ly in tw o d im e n s io n s , b u t n o t as s tro n g ly in th e th ir d . These a n te n n a s are e ffic ie n t in areas w h e re w ire le s s s ta tio n s use tim e d iv is io n m u ltip le access te c h n o lo g y . A g o o d e x a m p le o f an o m n id ire c tio n a l a n te n n a is o n e used by ra d io s ta tio n s . These a n te n n a s are e ffe c tiv e fo r ra d io signal tra n s m is s io n because th e re c e iv e r m ay n o t be s ta tio n a ry . T h e re fo re , a ra d io can re ce ive a signal reg a rd le ss o f w h e re it is.
th a t is fo rm e d by a grid m a d e o f a lu m in u m w ire . These g rid p a ra b o lic a n te n n a s can achieve v e ry lo n g d is ta n c e W i-F i tra n s m is s io n s by m a k in g use o f th e p rin c ip le o f a h ig h ly fo c u s e d ra d io b e a m . This ty p e o f a n te n n a can be used to tra n s m it w e a k ra d io signals m illio n s o f m ile s back to e a rth .
( ( ( © ) ) } Y a g i A n t e n n a
Yagi is a u n id ire c tio n a l a n te n n a c o m m o n ly used in c o m m u n ic a tio n s f o r a fre q u e n c y band o f 10 M H z t o VHF a n d UHF. It is also calle d as Yagi U da a n te n n a . Im p ro v in g th e gain o f th e a n te n n a and re d u c in g th e noise level o f a ra d io signal are th e m a in fo cu s o f th is a n te n n a . It d o e s n 't o n ly have u n id ire c tio n a l ra d ia tio n and response p a tte rn , b u t it c o n c e n tra te s th e ra d ia tio n and response. It consists o f a re fle c to r, d ip o le , and a n u m b e r o f d ire c to rs . An end fir e ra d ia tio n p a tte rn is d e v e lo p e d by th is a n te n n a .
D i p o l e A n t e n n a
A d ip o le is a s tra ig h t e le c tric a l c o n d u c to r m e a s u rin g h a lf w a v e le n g th fro m end to end and c o n n e c te d a t th e RF fe e d lin e 's c e n te r. It is also called as a d o u b le t. It is b ila te ra lly s y m m e tric a l so it is in h e re n tly a bala n ce d a n te n n a . These kinds o f a n te n n a s are u su a lly fe d w ith a bala n ce d p a ra lle l-w ire RF tra n s m is s io n line.
Parabolic Grid Antenna
C EH
Parabolic grid a n tennas e n a b le attackers to g e t b e tte r signal q u a lity resulting in m ore d a ta to eavesdrop on , m o re b a n d w id th to abuse and higher p o w e r o u tp u t th a t is essential in Layer 1 DoS and m an - in -th e -m id d le attacks
SSID C h a n n e l E n c r y p tio n A u t h e n t ic a tio n S ig n a l
Apple 2 None U n kno w n 24%
M y W i-F i S WEP U n kno w n 40%
GSM 1 WEP U n kno w n 64%
W i-F i Planet 6 None U n kno w n 38%
Awslocal 8 None U n kno w n 54% j
P a ra b o lic G rid A n ten n a
a
Parabolic grid antennas enable attackers to get b e tte r signal quality resulting in more data to eavesdrop on, m ore bandw idth to abuse, and higher pow er output that is essential in Layer 1 DoS and m an-in-the-m iddle attacks. Grid parabolic antennas can pick up Wi-Fi signals from a distance of 10 miles. The design of this antenna saves weight and space and it has the capability of picking up Wi-Fi signals that are either horizontally or vertically polarized.SSID Channel Encryption Authentication Signal
Apple 2 None Unknown 24%
My Wi-Fi 5 WEP Unknown 40%
GSM 1 WEP Unknown 64%
Wi-Fi Planet 6 None Unknown 38%
M odule Flow
C EH
« - M o d u le Flow
b
-H ־־
Wireless encryption is a process of protecting the wireless netw ork from attackers w h o can collect your sensitive inform ation by breaching the RF (Radio Frequency) traffic.
This section provides insight on various wireless encryption standards such as WEP, W PA, W PA2, W EP issues, how to break encryption algorithms, and how to defend against encryption algorithm cracking.
Wireless Concepts 0 * W ire le ss Encryption
^ W ireless Threats Wireless Hacking M ethodology
Types of Wireless Encryption
CEH
W EP
9 WEP is an e n c ryp tio n a lg o rith m fo r IEEE 802.11 w ire le ss n e tw o rk s 6 It is an o ld and o rig in a l
w ire le ss s e cu rity standard w h ich can be cracked easily
W PA
« It is an advanced wireless e ncryption p ro to co l using TKIP, MIC, and AES encryption w Uses a 48 b it IV, 32 b it CRC and
TKIP e ncryption fo r wireless security
W PA2
W PA2 uses AES (1 28 bit) and CCMP fo r wireless data encryption W PA2 Enterprise It integrates EAP standards w ith W PA2 encryption TKIP A security protocol used in WPA as a rep lacem ent for WEP
AES
it is a sym m etric-key encryption, used in WPA2 as a rep lacem ent o f TKIP
EAP
Supports m ultiple a uthenticatio n m ethods, such as token cards, Kerberos, certificates etc.
LEAP It is a proprietary WLAN a uthenticatio n protocol developed by Cisco RADIUS It is a centralized a u th enticatio n and authorization m an ag e m e n t system 802.H i It is an IEEE a m e n d m e n t th a t specifies security m echanisms fo r 8 0 2 .1 1 wireless networks CC M P CCMP utilizes 1 28 -b it keys, w ith a 4 8 -b it initialization vector (IV) fo r replay detection
%
W ir e le s s E n c r y p tio n
Copyright © by EG-CtOIICil. All Rights Reserved. Reproduction is S trictly Prohibited.
T y p es of W ire le ss E n c ry p tio n
The attacks on wireless networks are increasing day by day with the increasing use of wireless networks. Therefore, from this em erging t e ch n o lo g y have come various types of wireless encryption algorithms to make the wireless netw ork m ore secure. Each wireless encryption algorithm has advantages and disadvantages. The fo llow ing are the various wireless encryption algorithms developed so far:
9 WEP: A W LAN clients authenticating and data encryption protocol and it is an old,
original wireless security standard that can be cracked easily.
Q WPA: It is an advanced W LAN clients authenticating and data encryption protocol using
TKIP, MIC, and AES encryption. It uses a 48-bit IV, 32-bit CRC, and TKIP encryption for wireless security.
9 WPA2: W P A 2 uses AES (128-bit) and C C M P fo r wireless data encryption.
9 W PA2 Enterprise: It integrates EAP standards with W P A encryption.
9 TKIP: A security protocol used in W P A as a replacem ent for WEP.
9 EAP: Uses multiple authentication methods, such as token cards, Kerberos, certificates, etc.
9 LEAP: A proprietary W LAN authentication protocol developed by Cisco.
9 RADIUS: A centralized authentication and authorization m anagem ent system.
9 8 0 2 .l l i : An IEEE standard that specifies security m echanism s for 802.11 wireless
networks.
9 CCMP: C C M P utilizes 128-bit keys, with a 48-bit initialization vector (IV) fo r replay
CEH
WEP Encryption
Q WEP uses a 2 4 -b it in itia lizatio n vector (IV) to form stream cipher RC4 fo r confidentiality, and the CRC-32 checksum fo r integrity o f wireless transmission
W hat Is WEP?
Q W ire d Equivalent Privacy (W EP) is an IEEE 8 0 2 .1 1 wireless protocol which provides security algorithm s fo r data confidentiality during wireless transmissions
WEP Flaw s
64-bit W EP uses a 4 0-bit key 128-bit W EP uses a 104-bit key size 256-bit W EP uses 232-bit key size
WEP encryp tion can be easily
cracked
Q It has significant v u ln era b ilitie s and design flaw s
It was developed without:
0 A cadem ic o r public review
Q Review fro m cryptologists
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
WEP E n c ry p tio n
In this section we will discuss W EP encryption as well as its flaws.
W hat Is WEP E ncryption?
According to searchsecurity.com, " W ire d Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard 802.11b." W EP is a co m p o n e n t of the IEEE 802.11 W L A N standards. Its primary purpose is to provide confidentiality of data on wireless networks at a level equivalent to that of w ired LANs. Physical security can be applied in wired LANs to stop unauthorized access to a network.
In a wireless LAN, the netw ork can be accessed w ithout physically connecting to the LAN. Therefore, IEEE utilizes an encryption mechanism at the data link layer for m inim izing unauthorized access on W LAN. This is accom plished by encrypting data with the sym m etric RC4 encryption a lg o rith m — a cryptographic m echanism used to defend against threats.
Role of WEP in Wireless Communication
9 It m inim izes unauthorized access to the wireless network.
9 It depends on a secret key. This key is used to encrypt packets before transmission. A m obile station and an access point share this key. An integrity check is perform ed to ensure that packets are not altered during transmission. 802.11 W E P encrypts only the data betw een 802.11 stations.
Main Goals of WEP
9 Confidentiality: It prevents link-layer eavesdropping
9 Access Control: It determ ines w h o may access the netw ork and w h o may not
9 Data Integrity: It protects the change of data from a third user 9 Efficiency
Key points
It was developed without:
9 A cadem ic or public review 9 Review from cryptologists
It has significant vulnerabilities and design flaws
9 W EP is a stream cipher that uses RC-4 to produce a stream of bytes that are XO R ed with plaintext
The length of the W EP and the secret key are: 9 64-bit W EP uses a 40-bit key
9 128-bit W E P uses a 104-bit key size 9 256-bit W EP uses 232-bit key size
WEP Flaw s
Some basic flaws underm ine W EP's ability to protect against a serious attack:
1. No defined method fo r encryption key distribution:
9 Pre-shared keys w ere set once at installation and are rarely (if ever) changed.
9 It is easy to recover the num ber of plaintext messages encrypted with the same key. 2. Use of RC4, which was designed to be a one-tim e cipher and not intended fo r multiple
message use:
9 As the pre-shared key is rarely changed, the same key is used over and over. 9 An attacker m onitors the traffic and finds out the different ways to work out with
4. Key generators that are used by different vendors are vulnerable fo r a 40-bit key.
How WEP Works
U rtifMCEH
IUkjI NMkM! WEP-encrypted Packet (MAC Frame)
The WEP seed is used as the input to RC4 algorithm to generate a key stream The key stream is bit-w ise XORed w ith the com bination o f data and IC V to produce th e encrypted data
The IV is added to th e encrypted data and ICV to g enerate a M A C fra m e
CRC-32 checksum is used to calculate a 32-b it Integrity Check Value (ICV) fo r the data, which, in tu rn , is added to the data fram e
A 2 4 -b it arb itrary nu m b er know n as In itia lizatio n Vector (IV) is added to WEP encryption key; th e WEP key and IV are to g e th e r called as WEP seed
Copyright © by EC-C(ancil. All Rights Reserved. Reproduction is S trictly Prohibited.
How WEP W orks
To encrypt the payload of an 802.11 frame, the WEP encryption uses the following procedure:
9 A 32-bit Integrity Check V a lu e (ICV) is calculated fo r the frame data. 9 The ICV is appended to the end of the fram e data.
9 A 24-bit Initialization V e c to r (IV) is generated and appended to the W EP encryption key. 0 The com bination of IV and the W E P key is used as the input to RC4 algorithm to
generate a key stream. The length of the stream should be same as the com bination of ICV and data.
Q The key stream is bit-wise XORed with the com bination of data and ICV to produce the encrypted data that is sent betw een the client and the AP.
9 The IV is added to the encrypted com bination of data and ICV along with other fields, to generate a M A C frame.
K2, K3, K4) -■... > י WEP Seed
■••••?
...* ...*
־־־־
to-
i
A
1 WEP Key■
ך >
־
I
■■
...•y
Keystream IV:
1•...▲...
PAD KID C iphertext I : W EP-encrypted Packet (M A C Frame)
CEH
What IsWPA?
0
J Wi-Fi Protected Access (WPA) is a data encryption method for WLANs based on 802.11 standards
0
J A snapshot of 802.l l i under development providing stronger encryption, and enabling _ PSK or EAP authentication
0 0
WPA Enhances WEP
TKIP enhances WEP by adding a rekeying mechanism to provide fresh encryption and integrity keys Temporal keys are changed for every 10,000 packets. This makes TKIP protected networks more resistant to cryptanalytic attacks involving key reuse
128-bit Temporal Key
S Under TKIP, the client starts with a 128-bit "temporal key" (TK) that is then combined with the client's MAC address and with an IV to create a keystream that is used to encrypt data via the RC4 S It implements a sequence counter
to protect against replay attacks TKIP (Temporal Key Integrity Protocol)
TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64- bit MIC integrity check
TKIP mitigated vulnerability by increasing the size of the IV and using mixing functions
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is S trictly Prohibited.
W hat Is WPA?
W P A stands fo r W i-Fi Protected Access. It is com patible with the 802.l l i security standard. It is a software upgrade, but may also require a hardware upgrade. In the past, the primary security m echanism used between wireless access points and wireless clients was W EP encryption. The major drawback fo r W E P e n cryp tio n is that it still uses a static encryption key. The attacker can exploit this weakness by using tools that are freely available on the Internet. The Institute of Electrical and Electronics Engineers (IEEE) has defined "an expansion to the 802.11 protocols that can allow for increased security." Nearly every Wi-Fi com pany has decided to em ploy a standard for increased security called Wi-Fi Protected Access.
Data encryption security is increased in W P A as messages are passed through Message Integrity Check (MIC) using the Tem poral Key Integrity Protocol (TKIP) to enhance data encryption. The unicast traffic changes the encryption key after every fram e using TKIP. The key used in TKIP changes with every frame, and is autom atically coordinated between the wireless client and the access point.
Q TKIP (Temporal Key Integrity Protocol): TKIP utilizes the RC4 stream cipher encryption with 128-bit keys and 64-bit keys fo r authentication. TKIP mitigates the W EP key derivation vulnerability by not reusing the same Initialization Vector.
fresh encryption and integrity keys. Tem poral keys are changed for every 10,000 packets. This makes TKIP protected networks m ore resistant to cryptanalytic attacks involving key reuse.
