The University Of Lahore

Computer Networks
Sir Waseem Iqbal
Submitted by:
Muhammad Zia Shahid
********************************

Term Paper

Wireless LAN Security Risks and Solutions

Topics:

Introduction of wireless LAN Security

Security Black points

Security Hacks Method

Protection Methods

Final Result

Abstract:
Current Wireless LAN Security Risks and Solution are written down in this paper. This paper will also
provide an overview of the major Security risks, threats and vulnerabilities with WLAN systems.
Protection methods will also help us to prevent the WLAN.

Term Paper Feature:

 What is a WLAN Security...?
 Importance of WLAN Security
 Discuss Security Problems and Risks
 Hacks Techniques and Available software in black market
 How to Protect the WLAN System
 Volunteer born Findings

Introduction of wireless LAN Security

Wireless networks based on IEEE
802.11 standard have experienced excellent growth. This has
happened mainly due to the timely release of the IEEE 802.11 standard
[1], the cost of the hardware, and high data rate (11 Mbps for IEEE
802.11b and 54 Mbps for IEEE 802.11a) . Many organizations are finding
that WLANs (Wireless Local Area Networks) are an
essential Connected to traditional wired LANs, needed to satisfy
Requirements for mobility, relocation, ad hoc networking, and coverage
of locations hard to wire.
Applications areas for WLANs can be classified in the following
Categories LAN extension, cross-building interconnect, nomadic
Access and ad hoc wireless networks. WLANs are being largely used in
Education, healthcare, financial industries, and various public places such
as airline lounges, coffee shops, and libraries. Although the technology
has been standardized for many years, providing the wireless network
security has become a critical area of concern. Due to the broadcast
of the wireless communication, it becomes easy for an attacker to
hack wireless communication or to disturb the normal operation of the
network by injecting additional traffic .[2]

Furthermore, an interesting way has been registered in technology-oriented high

Dense populated independent, nonprofessional, computer amateurs install a
WLAN Access Point and allow everyone to access it for free.[3]
IEEE 802.11 specifies an optional encryption capability called Wired Equivalent Privacy
( WEP ). The purpose is to establish security to wired networks. WEP incorporates the
RC4 algorithm from RSA Data Security. This algorithm encrypts over-the-air
transmissions.

The lack of cables makes WLANs easy to install for system

administrators and, at the same time, offer mobility
and flexibility for the users. This kind of portability at a
reasonable price, without a noticeable drop in bandwidth,
has been mainly responsible for WLAN’s widespread usage
in the home environment.[4]

WLAN Architecture
An IEEE 802.11 WLAN is a group of stations (wireless nodes) located
within a limited physical area. The IEEE 802.11 architecture consists of
several components that interact to provide a WLAN that supports
station mobility. The basic building block of IEEE 802.11 LAN is the
basic service set
(BSS), which consists of some number of stations executing the same
MAC protocol and competing for access to the same, shared wireless
medium. The association between a station and a BSS is dynamic. When
getting out of the range, a station may disassociate to the current BSS,
and it may associate later to another BSS. The component that
interconnects BSSs is the distribution system (DS). The DS can be a
switch, a wired network, or a wireless network. A BSS connects to a DS
through an Access Point (AP). An AP functions like a bridge, moving
data between its BSS and the DS. A set of BSSs and the DS form an
extended service set (ESS) network. Stations within an ESS may
communicate and mobile stations may move from a BSS to another. The
EES appears as a single logical LAN at the logical link control (LLC)level. The integration of IEEE
802.11 architecture with a traditional
wired 802.x LAN is accomplished through a portal.

Security Black points

 Traffic Analysis.

 Passive Eavesdropping.

 Active Eavesdropping.

 Unauthorized Access.

 Man-in-the-middle

 Session High-Jacking

 Denial of service (DoS)

 Traffic Analysis

 Traffic analysis allows the attacker to obtain three forms of information.

 The attacker preliminary identify that there is activity on the

network.

 The identification and Physical location of the Wireless Access

Point (AP).

 The type of protocol being used during the transmission.

 Passive Eavesdropping

 Passive Eavesdropping allows the attacker to obtain two forms of

information.

 The attacker can read the data transmitted in the session.

 The attacker can read the information i.e source, destination, size,
number and time of transmission.

 Active Eavesdropping
  Active Eavesdropping allows the attacker inject the data into the
communication to decipher the payload.
 Active Eavesdropping can take into two forms.
 The attacker can modify the packet.
 The attacker can inject complete packet into the data.
 The WEP by using CRC only check the integrity of the data into the
packet.
 Unauthorized Access
 Due to physical properties of the WLAN, the attacker will always have
access to the Wireless components of the network.
 If attacker becomes successful to get unauthorized access to the network
by using brute force attack, man in the middle and denial of service attack,
attacker can enjoy the whole network services.

Man-in-the-Middle
The man-in-the-middle, bucket-brigade attack, or sometimes Janus attack, is a form of
active eavesdropping in which the attacker makes independent connections with the
victims and relays messages between them, making them believe that they are talking
directly to each other over a private connection, when in fact the entire conversation is
controlled by the attacker. The attacker must be able to intercept all messages going
between the two victims and inject new ones, which is straightforward in many
circumstances (for example, an attacker within reception range of an unencrypted Wi-
Fi wireless access point, can insert himself as a man-in-the-middle).
 Session Hi-Jacking
 In computer science, session hijacking is the exploitation of a valid computer
session—sometimes also called a session key—to gain unauthorized access to
information or services in a computer system. In particular, it is used to refer to
the theft of a magic cookie used to authenticate a user to a remote server. It has
particular relevance to web developers, as the HTTP cookies used to maintain a
session on many web sites can be easily stolen by an attacker using an
intermediary computer or with access to the saved cookies on the victim's
computer (see HTTP cookie theft).

[5]

Security Hacks Method

 NetStumbler

 Kismet

 Wellenreiter

 THC-RUT

 Ethereal

 AirSnort

 HostAP
  WEPWedgie

 AirSnarf

 SMAC

 Aircrack

 Aircrack-ng

 WepAttack

 WEPCrack.

 coWPAtty

 NetStumbler

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using
802.11b, 802.11a and 802.11g

[6]
  Kismet
Kismet is an 802.11 wireless network detector, sniffer, and intrusion
detection system. Kismet will work with any wireless card which
supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g,
and 802.11n traffic (devices and drivers permitting).

[7]

 Wellenreiter
Wellenreiter was developed to analyze wrongly configured networks. This is simple and
Possible transparently and without interfering the network. The collected information helps to
Optimize the environment.[8]
  THC-RUT
RUT (aRe yoU There, pronouced as 'root') is your first knife on foreign
network. It gathers informations from local and remote networks.[9]

 Ethereal
Ethereal is a network packet analyzer. A network packet analyzer will try to capture
network packets and tries to display that packet data as detailed as possible.[10]

 AirSnort

AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates
by passively monitoring transmissions, computing the encryption key when enough
packets have been gathered.[11]

 AirSnarf
AirSnarf is a simple rogue wireless access point setup utility designed to demonstrate how
a rogue AP can steal usernames and passwords from public wireless hotspots.  AirSnarf
was developed and released to demonstrate an inherent vulnerability of public 802.11b
hotspots--snaring usernames and passwords by confusing users with DNS and HTTP
redirects from a competing AP.[12]

Aircrack
Aircrack is a set of tools for auditing wireless networks:
 airodump: 802.11 packet capture program
 aireplay: 802.11 packet injection program
 aircrack: static WEP and WPA-PSK key cracker
 airdecap: decrypts WEP/WPA capture files[13]
  WEP Crack

WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This tool is is an
implementation of the attack described by Fluhrer, Mantin, and Shamir in the
paper "Weaknesses in the Key Scheduling Algorithm of RC4"[14]

 Protection Methods
Changing Administrator Passwords and Usernames
After you've taken your wifi router out of the box and started the setup process, you will be asked to
sign on to a specific Web page and are required to enter information such as your network address and
account information. In theory, this Wifi setup page is protected with a login screen (username and
password).
The Problem: Though the username and password are intended to allow only you to get access to your
Wifi setup and the personal information you have entered, the fact remains that the logins provided are
usually given to everyone with the same model router, and because most people never change them,
they remain an easy target for hackers and identity thieves. In fact, there are sites that list the default
usernames and passwords for wireless routers, making a hackers job even easier.
The Solution: Change the username and password for your Wifi setup immediately after the first login.
And if you are going to spend the time changing your password, make sure it is difficult to guess.
Your name, birth date, anniversary date, child's name, spouse's name, or pet's name are going to be
among the hacker's first guesses. And because many hackers use a technique called 'dictionary
hacking,' (running a program that tries common English words as passwords) you should make sure
that your password isn't just a common English word, but rather is a combination of letters and
numbers.
 
Upgrading your Wifi Encryption

If the information sent back and forth over your Wifi network isn't adequately encrypted, a hacker can
easily tap into the network and monitor your activity. When you type personal or financial information
into a Web site, that hacker can then steal that information and use it to steal your identity.The old
encryption standard Wired Equivalent Privacy (WEP) can be hacked within 30 seconds, no matter the
complexity of the passphrase you use to protect it. Unfortunately, millions of Wifi users are still using
WEP encryption technology to encrypt their information, despite the availability of the vastly superior
WPA2 encryption standard.

The Problem: Despite the superior encryption protection that WPA2 provides, most Wifi home users
have failed to upgrade their protection because they were unaware of the problem, or simply felt
overwhelmed by the technical prospects of upgrading. As a result, many continue to use WEP
encryption, which is now so simple to hack that it is widely regarded as little better than no encryption
at all.
The Solution: The solution, of course, is to upgrade your Wifi encryption to WPA2. But before you can
add WPA2 protection, you will have to complete a few steps in order to update your computer. The
first step is to download and install Microsoft's WPA2 hotfix for Windows XP. You will also likely
need to update your wireless card driver. These updates, if needed, will be listed in Microsoft's
Windows Update page under the subheading "Hardware Optional".

Now that your computer and wireless card are up to date, you will need to log into your router's
administration page through your web browser (this is the page you signed into in order to setup
theWifi router the first time you opened it up, the specific URL can be found in your router's
instruction manual.) Once signed in, change the security settings to "WPA2 Personal" and select the
algorithm "TKIP+AES". Finally, enter your password into the "Shared Key" field and save your
changes.

 
Changing the Default System ID

When you got your Linksys or D-Link router home from the store and set it up, it came with a default
system ID called the SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier). This ID
is also commonly referred to as the name of your Wifi setup.

The Problem: Usually, manufacturers assign identical SSID sets to their devices, and 80 percent of Wifi
home users leave their system on the default setting. So that means that 80 percent of homes have Wifi
systems titled, "Default" or "LinkSys" or whatever your provider sets as the default name.

The problem with these default settings is that they serve as strong signals to hackers who have been
known to just cruise neighborhoods looking for Wifi networks with default names to hack into.
Though knowing the SSID does not allow anyone to break into your network, it usually indicates that
the person hasn't taken any steps to protect their network, thus these networks are the most common
targets.

The Solution: Change thedefault SSID immediately when you configure your LAN. This may not
completely offer any protection as to who gains access to your network, but configuring your SSID to
something personal, e.g. "The Smith House Wifi Network", will differentiate you from other
unprotected networks, and discourage hackers from targeting you. As an added bonus, having a Wifi
network with a unique name also means that neither you or your family will make the mistake of
connecting through a neighbor's Wifi network, and thus exposing your computers through their
unprotected setup.
 
MAC Address Filtering

If you've had an unsecured Wifi setup in your home in the past, you can be fairly certain that at least
one of your neighbors is mooching off your Wifi to connect to the Internet. While everyone loves a
friendly neighbor, providing an easy resource for others to steal Internet access is morally and legally
questionable, but even scarier is the harm those moochers can do to your computer.

In order to check who has been using your network, you'll need to check the MAC address. Every wifi
gadget is assigned a unique code that identifies it called the "physical address" or "MAC address."
Your wifi system automatically records the MAC addresses of all devices that connect to them. But
busting your Internet-stealing neighbors isn't all that MAC addresses are good for, they can actually be
a great help in securing your WLAN.

The Problem: You are not sure who or what is accessing and endangering your wifi network, and once
you find out that someone or something is mooching off your network, you want to stop them. But
how?
The Solution: Checking the MAC address long for your wifi network will give you a quick view of all
the devices accessing your network. Anything that isn't yours, you will want to keep out. To do this,
you will need to manually key in the MAC addresses of your home equipment. This way, the network
will allow connections only from these devices, so your mooching neighbors will be out of luck.
Caution: This feature is not as powerful as it may seem. While it will stop your average neighborhood
moocher or amateur hacker, professional hackers use advanced software programs to fake MAC
addresses.
 
Stop Publicly Broadcasting your Network

By now you've renamed your wifi so that hackers won't see the default name as they sweep for
unprotected wifi setups. But wouldn't it be even better if hackers and curious neighbors didn't know
you had a wifi setup at all? Usually, your access point or router is programmed to broadcast the
network name (SSID) over the air at regular intervals. While broadcasting is essential for businesses
and mobile hotspots to let people find the network, it isn't needed at home, so eliminate it.

The Problem:Why broadcast to the world that you have a wireless connection? You already know it;
why do strangers need to know? For most personal uses, you are better off without this feature,
because it increases the likelihood of an unwelcome neighbor or hacker trying to log in to your home
network. The broadcast works like an invitation to the hackers who're searching for just that
opportunity.

The Solution: Most wifi access points allow the SSID broadcast feature to be disabled by the network
administrator. If you are using a Linksys router, instructions to disable your SSID broadcast are here,
and for those of you using D-Link, your instructions are here (See Figure 1.6 on page 4). Otherwise,
you will need to check the manual for your hardware for specific instructions on how to disable
broadcasting for your router.

Auto-Connect to Open Wifi Networks?

Most computers provide a wifi setting that will configure your computer to automatically connect to
any open wifi network without notifying you. While this setting isn't the default, many individuals
select the setting because it makes connecting faster when you are traveling, or connecting at a friend's
house. Even more common, is to have selected 'connect automatically' to networks that you regularly
connect to. Again, this makes sense, as most people do not want to have to manually type in the name
of their wireless network and the password each time they want to sign in at home. Unfortunately, both
wifi setups can cause major security problems.

The Problem: Ifyou connect to every available wifi network automatically, you will inevitably end up
connecting to dummy wifi networks designed specifically to catch unsuspecting users and hack their
computers.

Similarly, if you automatically connect to your regular wifi networks (meaning you don't manually
type in your network name and password every time) then you may be setting yourself up for a
security breach. That is because 80 percent of wifi users have not changed the name of their wireless
connection. Therefore, it is very easy for a hacker to create a dummy network entitled "Linksys" or
"Default", then sit back and watch 80 percent of computers automatically connect to the network since
it has a 'trusted' name.

The Solution: Neverselect the 'connect to available wifi networks automatically' setup option under
your Network Connections window. If you don't want to have to manually type in the name and
password to your wifi connection each time you sign in (the safest option), at least make sure that you
have named your wifi connection something unique, and that you eliminate all generic titled networks
from your 'preferred networks' list. That way, you won't get automatically connected to dummy wifi
networks setup by hackers and given the names, "Default" or "Linksys".

You've got a built-in firewall, so use it

Your IT security needs to use a layered approach. While no single layer of your security is enough to
withstand every attack, adding layers to your security will help ensure that spyware and malware are
kept out. Two important security layers are the router firewall and your individual PC's firewall.

The Problem: Routers come with built-in firewall capability. However, since there is an option to
disable them, they can often be accidentally turned off by someone toggling options.
The Solution: Ensure that your router's firewall is enabled, along with related built in security featured
which block anonymous internet requests or pings. This extra step will help hide your network's
presence to the internet, and thus help protect your network. After all, it's harder for hackers to
infiltrate what they can't find.
 
Positioning of the Router or Access Point

Wifi signals don't know where your house ends and where your neighbor's begins. This wifi signal
leakage gives hackers and neighbors the opportunity to find your wireless network and attempt to
access it.
The Problem: While a small amount of overflow outdoors is not a problem, it is important to keep this
leakage to a minimum. This is important because the further your signal reaches into the
neighborhood, the easier it is for others to detect and exploit.
The Solution: If
you haven't yet installed your wireless home network, make sure to position the router
or access point in the center of the home rather than near windows or doors. If you live in an
apartment, consider that a wifi network is restricted in part based upon the materials that it must pass
through, the more walls, doors, and metal the signal passes through, the weaker it is. So if your goal is
to reduce leakage, you might consider mounting your wifi in a closet in order to reduce signal strength.
 
When to Turn Off the Network

Most of us know that it is impractical to constantly turn devices on and off. Having a wifi connection
is in large part a device of convenience, and having to turn it off every time you aren't using it,
eliminates much of that convenience. Unfortunately, a wifi connection is vulnerable when it is on;
therefore shutting off your wireless signal when not in use would be a huge boon to its security.

The Problem: There is an inherent tension between convenience and security in deciding whether to
turn off a wireless access point between connections.
The Solution: Just asyou take extra home security measures when taking a vacation, like asking your
neighbors to pick up the mail and leaving a light on, so also should you take extra wifi security
measures when your network will not be in use for expended periods of time. Shutting down the
network is a basic but effective security measure that can protect your network when you are not
around to protect it, and hackers may take the opportunity to mount their attack.
 
Putting your Improvements to the Test

Now that you've made all these changes to your wifi setup, it would be nice to know that you are
secure. Unfortunately, the only surefire test for how secure you are is to wait to see if you get hacked.
Trial by fire is no way to test your security, however, so thankfully there is a program to help audit
your wifi security.

The Problem: There is no way for the average home wifi user to know if the changes they made to
upgrade their wireless security will really prove successful in keeping them safe.
The Solution: The Netstumbler utility, by Marius Milner will both determine your network's
vulnerabilities and unauthorized access points. In addition to these security concerns, the
downloadable program will also reveal the sources of network interference and weak signal strength,
so that you can improve the strength of your wifi signal. Netstumbler is free for download, although
the author asks that those who find the tool helpful make a donation to support the creation of future
utilities.[15]

References:
1. [Sara Nasre Wireless Lan Security

Research Paper 05/05/2004 IT 6823 Information Security

Instructor: Dr. Andy Ju An Wang Spring 2004]

2. [Wireless LAN Security Issues and Solutions

Cliff Skolnick, BAWUG]

[3]Mohammad O. Pervaiz, Mihaela Cardei, and Jie Wu

Department of Computer Science &Engineering, Florida Atlantic University

777 Glades Road, Boca Raton, Florida 33431,USA

E-mail:{mpervaiz@, mihaela@cse., jie@cse.}fau.edu

[4]WLAN security – Status, Problems and Perspective

Marco Casole

Ericsson Enterprise AB –Wireless LAN Systems – 164 80 Stockholm - Sweden

Ph.: + 46 08 508 79822, Fax: + 46 08 585 31290, e-mail: [email protected]

[5]Wikipedia and MSc’s Presentation from uol

[6] http://www.stumbler.net

[7] http://www.kismetwireless.net/documentation.shtml

[8] http://webscripts.softpedia.com/script/Networking-Tools/Wellenreiter-28253.html

[9] http://www.thc.org/thc-rut/

[10] http://www.ethereal.com/docs/eug_html/#ChIntroWhatIs

[11] http://airsnort.shmoo.com/

[12] http://airsnarf.shmoo.com/

[13] http://www.grape-info.com/doc/linux/config/aircrack-ng-0.6.html

[14] http://wepcrack.sourceforge.net/

[15] http://www.focus.com/briefs/mobile-wireless/secure-wireless-lan/