This article deals with WLAN security, explains the most common attack techniques
and introduces some useful tools.
Few words on Wireless network topology. Each Wireless network has two major
components, either stations (STA) or access points (AP). Wireless network operates
in one of two modes: ad-hoc (peer-to-peer) or infrastructure mode. In the ad-hoc
mode each client (STA) communicates directly with other clients within the network.
In the infrastructure mode each client (STA) sends its communication requests
to a central station, which is the Access Point (AP). The access point acts
as an Ethernet bridge.
A client and an access point must establish a relationship prior to exchanging
data. Once established the client-access point relationship could be in any
of the following three states:
1. Unauthenticated and unassociated
2. Authenticated and unassociated
3. Authenticated and associated
The exchange of “real” data is only possible in the third state. Until then
the parties communicate using management frames. Access point transmits beacon
management frames at fixed intervals. Client receives this frame and starts
authentication by sending an authentication frame. After successful authentication
the client sends an association frame and the access point responds with an
associated response frame.
Wireless Networks Security Mechanisms
The 802.1 standard for wireless networks provides several mechanisms for achieving
secure network environment. This section explains five widely used mechanisms.
Wired Equivalent Protocol
Wired Equivalent Protocol, or WEP, was first designed by the authors of the
802.1 standard. WEP was designed not to provide a secure network protocol similar
to IPSec, but rather to provide an equivalent level of privacy. WEP aims to
provide security by encrypting data over radio waves. WEP is used to prevent
unauthorized access to the wireless network. WEP is disabled by default. If
it is turned on any outgoing package is encrypted and packed.
The WEP protocol relies on a secret key that is shared in a basic BSS (Basic
Set Service). This key is used to encrypt data packets before they are transmitted,
and an integrity check is run on them. WEP uses the RC4 algorithm, which is
a stream cipher. A stream cipher expands a short key into an infinite pseudo-random
WEP Encipherment Algorithm
* Plaintext message is run though an integrity algorithm to produce integrity
check value, also known as ICV. The 802.11 standard specifies the use of CRC-32.
* The integrity check value is appended to the end of the plaintext message.
* 24-bit initialization vector (IV) is generated and the secret key is concatenated
to it. Then it is used to generate a seed value for the WEP pseudo-random number
* PRNG outputs a key sequence.
* The data is encrypted by XORing with the key sequence generated.
* The IV is appended in the clear to the protected frame (with the ciphertext)
The algorithm involved in deciphering can be easily guessed from the above algorithm.
The IV is used to elongate the life of the secret key.
WEP uses a RC4 key stream; therefore it uses a 64-bit key to generate it, which
XOR'ed to the data/ICV combination, 24-bits IV. The secret key is 40-bits long.
The IEEE proposed changes to the WEP protocol in 2001, after many flaws had
been discovered in the original one. The new version, WEP2, has increased the
IV space from 24 bits to 128 bits and provides Cerberus V Support, though problems
haven't disappeared (discussed later). Complete support for the entire WEP2
has yet to be achieved.
Open System Authentication
Each Wireless network has two authentication systems. Open system authentication
is the first one and default authentication protocol for 802.11. The name implies
that this system authenticates anyone who requests authentication (like a root
account with null password). WEP is not helpful, since experiments have shown
that the authentication management frames are sent in the clear even if WEP
Access Control List
This security feature is not defined in the 802.11 standard, but it is used
by vendors to provide better security in addition to the standard security methods.
Access Control List is based on the client’s wireless Ethernet MAC address (unique
for each NIC). The access point can limit the clients using the network by using
the ACL. If a client's MAC address is listed, then he is permitted access to
the network; if not, then access to the network is denied.
Closed Network Access Control
This feature allows an administrator use either an open network or a closed
network. Open network means that anyone is permitted to join the network, while
in closed network, only clients that know the network name, or SSID, can join.
The network name acts as a shared key.
Wireless Networks Attacks
Most of you will probably find this section more interesting, since it explains
common attack techniques that are used to compromise wireless networks, stealing
bandwidth and just for having fun. If you have a wireless network nearby or
you live in a place where wireless technology is widely used, any of the attack
techniques described below will have 98% success.
Attackers target Wireless networks since about 95% of all networks are completely
unprotected. The current standard (802.11b) grants bandwidth of up to 11 MBps.
If attacked Wirelesses network uses default settings there will be no cap set
on bandwidth, which means the attacker can have complete access to the capacity.
You can find a very convincing example at Neworder - http://neworder.box.sk/newsread.php?newsid=3899.
Access Point Spoofing & MAC Sniffing
Access control list lists provide a reasonable level of security when a strong
form of identity is used. Unfortunately, this is not the case with MAC addresses.
MAC addresses are easily sniffed by an attacker since they must appear in the
clear even when WEP is enabled. Further more, wireless cards permit the changing
of their MAC address via software. An attacker can use those 'advantages' in
order to masquerade as a valid MAC address by programming the wireless card,
and get into the wireless network and use the wireless pipes.
Spoofing MAC address is very easy. Using packet-capturing software, an attacker
can determine a valid MAC address using one packet. If the wireless card firmware
allows changing the MAC address, then he is done.
If an attacker holds wireless equipment nearby, and he/she is near a wireless
network, he will be able to perform a spoofing attack. To perform a spoofing
attack, an attacker must setup an access point (rogue) near the target wireless
network or in a place where a victim may believe that wireless Internet is available.
If the rogue's signal is stronger than the signal of the real access point,
then the victim's computer will connect to the attacker's access point. Once
the victim has established a connection, the attacker can steal his password,
network access, compromise his/her computer etc. This attack is used mainly
for password acquisition.
In this attack, the attacker knows the plaintext message and has a copy of the
ciphertext. The missing piece is the key. In order to get the key, an attacker
would send a target system a small part of data, and then capture the data that
is sent to the destination. Once the attack captured the data, he got the IV.
Now, he can simply run a dictionary attack to find the key.
Another plaintext attack reveals the key stream using a simply XOR. If an attack
has the ciphertext and the plaintext, he can XOR the ciphertext and get the
key stream. The attacker can use the key stream with the right IV, to inject
packets into the wireless network without authenticating o the access point.
Cipher stream Reuse
This problem allows an attacker to recover the key stream from a WEP packet
(encrypted packet). The WEP cipherment algorithm declares small space to the
initialization vector, using this flow an attacker can capture key streams by
sending packets with various IV. Later, the attacker can decrypt the encrypted
message using by XORing with the plaintext message (Note that the attack must
have both ciphertext and plaintext). Later, when authentication data traffic
though the network, the attacker would be able to intercept it, and using the
key stream(s) the attacker can recover it to plaintext.
This research project was released a year ago (August 2001) by Scott Fluhrer
of Cisco Systems, Itsik Mantin and Adi Shamir of the Computer Science Department
of The Weizmann Institute in Israel. The project is dealing with weaknesses
in the Key Scheduling Algorithm (KSA) of RC4.
This group discovered two weaknesses in the KSA. The attack technique, which
is described in their research paper, cracks keys of both WEP (24 bit long)
and WEP2 (128 bit long). Adam Stubblefield or Rice University and John Loannidis
and Aviel Rubin of AT&T Labs approved this attack technique later. Once the
attack was approved, two new tools become available to the public (air snort
and WEPCrack). Their source code, though, was never released to the public.
Most of the attacks in this category are based on ARP poisoning, or cache poisoning.
Basically, ARP spoofing is a method of exploiting the interaction of IP and
Ethernet protocols. Since, this article is not about ARP protocols, or ARP attacks,
I'll describe shortly the attacks and the purpose.
The attacker combines an access point with a virtual private network server
of the same type as the one on the target network. When a user tries to connect
to the real server, the spoofed server sends a replay back, leading the user
to connect to the fake server.
This type of attack is complex to be explain in this article, though you can
find good articles about ARP poisoning at www.ebcvg.com
A wireless attacker would probably start with this attack, since most wireless
networks are completely unprotected (they use open system authentication), and
moreover, WEP is not present by default.
All an attacker needs to attack such a system is a wireless card and a scanner
(see at the end of this article). An attacker scans for open access points that
allow anyone to connect, and then connects to the access point. Attackers use
it to have free Internet access, launching a blind attack (attacking a third
Securing Wireless Networks
Wireless network has become very popular among companies, because it allows
employees to access the wired network (WLAN) from any place thus granting roaming
ability. New technologies usually fail to provide decent security level - Wireless
is not an exception. This section describes the most common ways to improve
security of a Wireless network.
MAC Address Filtering
This method uses a list of MAC addresses of client wireless network interface
cards that are allowed to associate with the access point. If there are several
access points, the list should be available on all access points, which the
client can be associated with. Administrators should take care that the list
is 'up-to-date'. Though this method is vulnerable (see above), it is widely
used to secure wireless networks.
As was stated above, WEP provides a certain level of data encryption for communication
between clients and access points. Still, WEP should be enabled, because there
is no need to make it easier for attacker to compromise the network. Once again,
this method is vulnerable to different kind of attacks.
SSID (Network ID)
The first attempt to secure wireless network was the use of Network ID (SSID).
When a wireless client wants to associate with an access point, the SSID is
transmitted during the process. The SSID is a seven digit alphanumeric ID that
is hard coded into the access point and the client device. Using SSID, only
those clients, who hold the correct Network ID, are allowed to associate with
the access point. With WEP enabled, the SSID is transmitted in encrypted form,
but if an attacker has a physical access to the device, he/she can determine
the SSID, since it is stored in clear text.
Once the SSID is compromised by an attacker, the Wireless network administrator
must assign a new SSID manually.
Using a firewall to secure a wireless network is probably the only security
feature that will prevent unauthorized access. As mentioned below, the access
to the network should be done via IPSec, secure shell or VPN. Thus, the firewall
should be configured to allow only IPSec or secure shell traffic. A illustration
of an access to a wired network form a wireless network:
1. The wireless client authenticated and associates with wireless access point.
For better security, the access point should be configured to filter MAC addresses.
2. The access point sends a request to the DHCP server. The server assigns the
client a network address.
3. Once the network address is assigned, the wireless client is now at the wireless
network. In order to access the wired network, it either sets up an IPSec VPN
Tunnel or uses secure shell.
It is important to configure the firewall to accept only secure connections,
all other connect should be denied.
Access points can accommodate MAC filtering and should be configured to do so,
though MAC addresses can be spoofed (see above). Administrators should take
care that the AP is located in a secured place, so unauthorized physical access
will be permitted.
Configuring AP is done via telnet, web browser or SNMP. It is recommended to
allow configuration only via telnet session, and block all other ways.
Before taking any implementation to secure a wireless network, it is important
to properly design the network. A properly designed network can eliminate some
risks associated with wireless networks.
Some tips for proper design:
1. Protect wireless networks with VPN or access control list.
2. Access points should not be connected to the internal wired network even
if WEP is enabled.
3. Access points should be never placed behind a firewall.
4. Wireless clients are allowed to access the network though a secure shell,
IP-Sec or virtual private network. These provide user authorization, authentication
and encryption - secure your network.
WEPCrack - http://www.ebcvg.com/download.php?id=1083
NetSumbler(windows) - http://www.ebcvg.com/download.php?id=1084
Airsnort - http://www.ebcvg.com/download.php?id=1085
Wireless Access Points and ARP Poisoning -
Best Practices for Deploying Wireless LANs -