1 / 21

Sniffing on Wireless LANs

Sniffing on Wireless LANs. Basic concept of wireless LAN. A type of local area network. Use high frequency Radio Wave (RF). Speed: 2Mbps to 54Mbps. Distance: 100 feet to several miles. IEEE 802.11. Access Point (AP) Serves as a “hub” for wireless clients.

fritz-ramsey
Download Presentation

Sniffing on Wireless LANs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sniffing on Wireless LANs

  2. Basic concept of wireless LAN • A type of local area network. • Use high frequency Radio Wave (RF). • Speed: 2Mbps to 54Mbps. • Distance: 100 feet to several miles. • IEEE 802.11.

  3. Access Point (AP) • Serves as a “hub” for wireless clients. • Bridge between wired and wireless LANs. • Similar to a basestation used for a cellular phone network.

  4. Ad Hoc Mode • Client to client communication

  5. Infrastructure mode • Connect to AP

  6. BSS (Basic Service Set) • The set of clients and AP which have recognized each other and have established communications. • SSID or BSSID • Basic service set identifier • ESS (extended services set) • Series of overlapping BSS connected by a distributed system.

  7. Channel Source: http://www.pisa.org.hk/event/wlan_workshop.ppt

  8. War Driving • Originally, WarDriving was when crackers drove around in a car equipped with wireless gear looking for unsecured wireless networks, to gain illicit access. • Over time, the term has evolved to include harmless types that simply checking on the RF environment.

  9. What are needed for war driving • Device capable of • receiving 802.11b signal. • Capable of moving around. • Software that will log data from the device. • NetStumbler • Over time, you can build up a database comprised of the network name, signal strength, location, and ip/namespace in use.

  10. PISA tried a war driving in Hong Kong on July 7,2002 (See: http://www.pisa.org.hk/event/wlan_workshop.ppt )

  11. Their findings • Discovered 187 access points with antenna (52 without antenna). • WEP enable: 43 • WEP disable: 144

  12. WEP Protocol • Wired Equivalent privacy protocol is used in 802.11 network to protect link-level data during wireless transmission. • WEP relies on a secret key k shared between the communicating parties. • It is optional • That means some users may not turn it on.

  13. Plaintext Message CRC XOR Keystream= RC4(v,k) v Ciphertext Transmitted Data

  14. Checksumming • Compute an integrity checksum c(M) on the message M. • Concatenate the two to obtain a plaintext P = <M,c(M)> • Encryption • Choose an initialization vector (IV) v. • RC4 algorithm generates a keystream RC4(v,k) • Long sequence of pseudorandom bytes • A function of v and k.

  15. Exclusive-OR the plaintext with the keystream to obtain the ciphertext: • Tranmission • Transmit the IV and the ciphertext over the radio link.

  16. Weakness of WEP • Presented in the paper • Scott Fluhrer, Itsik Mantin, and Adi Shamir, “Weaknesses in the Key Scheduling Algorithm of RC4”. • Invariance weakness • Existence of a large class of weak keys. • IV weakness • Related key vulnerability

  17. Open-source implementations of the attack are now widely available. • One of the best-known programs is AirSnort (http://airsnort.shmoo.com/ ). • Key recovery with AirSnort takes only a few seconds once enough weakly-encrypted frames are gathered. • Our TAs have tried this package before. It took about half day to collect enough packet to break the key.

  18. A Screenshot of running AirSnort

  19. Solutions • The 802.11 work group is now working on new encryption schemes. Some possible methods may include. • 802.1x • Per-port user authentication • WEP2 • Use VPN for the wireless connection • Encryption with IPSec or PPTP

  20. Application Application SSL SSL Transport (TCP, UDP) Transport (TCP, UDP) Router Network (IP) Network (IP) Network (IP) Network (IP) (VPN) (VPN) 802.11b Link Ethernet Link Ethernet Link 802.11b Link WEP WEP 802.1b Physical Ethernet Physical Ethernet Physical 802.1b Physical Source: http://www.pisa.org.hk/event/wlan_workshop.ppt

  21. VPN Internet Local Area Network of your organization. Firewall Firewall

More Related