.

1

Wireless Network Hacking

Chapter #7:

CIS 4500

Outline

n  Describe wireless network architecture and terminology

n  Identify wireless network types and forms of authentication

n  Describe wireless encryption algorithms

n  Identify wireless hacking methods and tools

n  Describe mobile platform attacks

n  Identify Mobile Device Management

Wireless Network Hacking 2

CIS 4500

Standards

n  Packetized data over radio waves in the 2.4 GHz band

n  Multiple-rate Ethernet

n  ‘b’ operates at rates of 1 Mbps, 2 Mbps, 5.5 Mbps, and 11

Mbps (2.4 GHz)

n  ‘a’ data traffic up to 54 Mbps in the 5 GHz spectrum

n  ‘g’ uses the 2.4 GHz band and achieves 54 Mbps data rates

n  bands that are “unlicensed” by the FCC

n  anybody can use them – possible interferences

Wireless Network Hacking 3 CIS 4500

Wireless Design/Operations

Wireless Network Hacking 4

n  Antenna placement and geometry

n  power level control

n  antenna types

n  MAC Filtering

n  Channels

.

2

CIS 4500

Connection

n  Authentication: handshake when attempting to “associate”

to the AP

n  Association is the process needed before the AP will allow

the client to talk to the network

n  Association occurs only if the client has all the correct

parameters needed

n  service set identifier (SSID)

n  should limit access to only the authorized users of the wireless

network Wireless Network Hacking 5 CIS 4500

Authentication

n  Authentication can happen in a frame sent to an AP with SSID

n  Unique 32-character identifier attached to the header of the

packet

n  SSID is sent in plaintext in the packets

n  Operating systems will display a list of SSIDs active in the

area

n  since it is part of every package it is discoverable

Wireless Network Hacking 6

CIS 4500

802.11 Security

n  Challenge/request scenario: with the AP verifying a

decrypted “key” for authentication.

n  Solutions: Open System Authentication Process or Shared

Key Authentication Process.

n  You can also use an authentication server (RADIUS)

Wireless Network Hacking 7 CIS 4500

Wireless Encryption

n  WEP is the 802.11 protocol’s method for ensuring confidentiality and

authentication

n  WEP encrypts the data with an RC4 stream cipher

n  Depends on the client and the access point having a shared secret

“key”

n  WEP supports three key lengths: 40, 104, and 232 bits (referred to as

64, 128 and 256 bits)

n  24 bits of the overall key length are for the initialization vector

n  The IV is the primary reason for the weaknesses

Wireless Network Hacking 8

.

3

CIS 4500

WPA and WPA2

n  WPA

n  Temporary standard between WEP and WPA2

n  Uses TKIP – 128 bit key

n  WPA2

n  AES block cipher

n  Personal or enterprise

Wireless Network Hacking 9 CIS 4500

802.1X Protocol

n  Can support a wide variety of authentication methods

n  Fits well into existing authentication systems such as

RADIUS and LDAP, VPN and/or dial-up RAS

n  Four common ways of implementing 802.1X:

n  EAP-TLS – Extensible Auth. Prot.–Transport Layer Security

n  EAP-TTLS – EAP–Tunneled TLS Protocol

n  EAP-MD5 – using the MD5 encryption protocol

n  EAP – Cisco Wireless, or LEAP

Wireless Network Hacking 10

CIS 4500

Access Control

Wireless Network Hacking 11 CIS 4500

Enterprise Wireless Access Point

Wireless Network Hacking 12

.

4

CIS 4500

Wireless Hacking - Discovery

n  wigle.net – downloadable app for war driving

n  AirPcap – USB wireless adapter

n  NetStumbler – finding access points

n  Kismet (KisMAC) – wireless sniffer

n  WiFi Pineapple – full auditing platform

Wireless Network Hacking 13

Stay Alert!

There is no 100 percent secure system,

and there is nothing that is foolproof!