Practical Studying of Wi-Fi Network Vulnerabilities Aigerim Ismukhamedova2, Yelena Satimova1,2, Andrei Nikiforov2 and Natalia Miloslavskaya2 1
Almaty University of Power Engineering and Telecommunications, AUPET(AIPET), Almaty, Kazakhstan 2 National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), Moscow, Russia {Aigerim_ismukhamedova, lena_sat}@mail.ru,
[email protected],
[email protected] [email protected],
[email protected]
Abstract– Currently great attention is paid to the operating system (OS) protection against malicious malware, viruses, etc. Wi-Fi is the most popular and demanded way of connection to the Internet, which is used in many companies and by the individuals. Wi-Fi is a widespread technology and in different situations it requires additional software for a protected installation. Wi-Fi networks can be cracked, and personal data can be stolen or compromised. A process of Wi-Fi network’s hacking for educational purposes is considered in the paper. Some hacking techniques are shown as implemented in the laboratory works. Keywords – vulnerability, secure, Wi-Fi I
INTRODUCTION
When training information security (IS) professionals as well as users, a problem of the lectures supplement by specialized laboratory works arises. Ample literature on developing such educational cources in different universities of Russia and other countries provides and illustrates various techniques in simulating attacks while teaching students and training them to decide what protection measures should be undertaken when a vulnerability is detected. This work is a sort of educational experiment, which may be useful both in professional training and common users’ applications. The laboratory work (lab work) described below is carried out in the framework of two educational courses for masters such as «Secure Information Systems» and «Objects’ Information Security Maintenance Technologies» as well as in the «Open Systems’ Information Security» course for specialists. This work is considered as a supplement to main topics of the courses because dedicated Wi-Fi issues are not specified in detail and are a subject of the homework assignments. It implies some theoretical training of students through reading the recommended literature. The work gives an idea of Wi-Fi and its structure and shows the techniques of network intrusion on the laboratory bench. The work is relevant because of the mass spreading and usage of Wi-Fi networks in our everyday life. It can help the users and students specialized in IS in training their skills when changing passwords from their Wi-Fi networks and
making them more complicated in an environment, which is exposed to various attacks. Thus the paper is organized as follows. Section II presents related works, which inspired the authors to create the lab work. Section III describes its implementation scenario, including Wi-Fi adapters’ modes to clarify the work’s features while showing their specifics, used software, encryption algorithms and cryptographic techniques. Some results of the work as well as the advantages and disadvantages of its current version are given in Section IV. Section V ends the paper with some recommendations in securing Wi-Fi networks and further work’s development. II RELATED WORKS During the lab work development we studied several similar works with different Wi-Fi hacking and protection techniques. Here a short review of the selected ones. Among the advantages of the «Ultimate Wi-Fi Hacking & Security Series» and «Learning Wi-Fi Key Penetration Testing (WEP/WPA/WPA2)» lab works are their focus on beginners in the field of IS, a detailed exposition of the basic principles and definitions, a description of hacking techniques and protection against them. There are some disadvantages of these works such as special requirements to OS, the necessity of skills of Linux usage, as well as the absence of practical training. These works are not included in any educational course [1, 2]. Among the reviewed books on the subject the best one from our point of views is the Wilson Siringoringo’s book entitled «Teaching and Learning Wi-Fi Networking Fundamentals Using Limited Resources». Anyone can read the content of the required chapter of the book and buy it without paying for the whole book. The material on the basics of Wi-Fi networks’ security is well expounded [3]. Another course which was useful for our work is the «Wireless Security» course at the Colorado State University. One of the course chapters is devoted to a detailed analysis of Wi-Fi networks and the description of their advantages and potential problems. It is a good course with a clear explanation of all necessary stuff for the students [4].
III LAB WORK IMPLEMENTATION SCENARIO A. MODES OF OPERATION OF WI-FI ADAPTER Since Wi-Fi usage is wide spread, some Wi-Fi adapter should be applied to detect signals forwarded to the devices in range during the lab work. As the antenna (Wi-Fi adapter) may fail to extract some packets, the driver can operate in three modes: client, monitor and promiscuous (Figure 1 shows the packages’ intercept in different modes).
In the client mode the user is not interested in the packets not intended for him, since in the promiscuous mode the user must be connected to the network. Except for damaged packages and headings 802.11, the monitor mode is similar to the client one and even more than the chaotic regime it is supported by the lion’s share of adapters. The only problem which arises here is that not all the adapters can concurrently transmit data in the monitor mode [6]. B. SOFTWARE INSTALLATION AND SETUP 1. A student should load lacking packages with the command sudo apt-get install and the name of the package: sudo apt-get install aircrack-ng 2. Then he should update the list of application and installation of the desired package (at the end «-y» command or «yes» to answer all questions on downloading packages without user intervention) sudo apt-get update && sudo apt-get install aircrack-ng -y 3. Virtualization is the general name of presentation methods of numerical information or physical phenomena in a form suitable for visual observation and analysis. In computer graphics, visualization is the process of producing images by the model. Launching the xubuntu (virtual machine) in the virtualization environment (i.e. the virtual machine is isolated from the main operating system), the student should traverse USB Wi-Fi adapter. (The OS must have exclusive right to a Wi-Fi adapter.)
Fig.1
Intercepted packets
4. After that he should traverse (connect) the USB adapter by clicking VM - removable devices (Figure 2) and select the appropriate Wi-Fi adapter (Figure 3), and click Connect. As a Wi-Fi adapter we used the ASUSTek 802.11n WLAN Adapter (from ASUS).
When a student executes the drill, he needs to transfer the network (wireless) card in the monitor (hacking) mode. Each Wi-Fi adapter detects any signal, which is forwarded to it when working in the client mode. The adapter packages unappropriate for that adapter are discarded and the rest of the packages get to the OS as received. In this mode the damaged packages get discarded and the operation is considered normal. In the monitor mode (rfmode) the driver does not filter packages and all information captured by the antenna passes to the OS. The packages with incorrect checksums are not discarded and can be seen, i.e. using Wireshark. The intermediate is a promiscuous mode: the driver transfers packages, which are received through the network connection related to the OS, but contrary to normal operation. The packages destined to other network clients will not be discarded and other networks’ packets will be ignored. It is clear that such a scheme works when the user is successfully connected and logged in to a network. In contrast to the monitor mode this option is supported by a small number of adapters. When operating in this mode, as well as in the client mode, the driver removes the low level channel titles from the packets transmitted [5].
Fig.2
Device Connection menu
Dictionary designations: BSSID – MAC address of the access point (AP); PWR – signal level; Data – the number of captured data packets; CH – the channel number with the AP; MB – data transfer speed; ENC – encryption algorithm; CIPHER – type of encryption; AUTH – type of authorization; ESSID – AP name; STATION – MAC address
of the client; Probes – network name with which the client tries to connect.
C. LAB WORK IMPLEMENTATION PROCEDURES Further all the steps to be performed by the student during the execution of the work are described. 1.Get the superuser rights: sudo su (Figure 4). 2. Accomplish the application source upgrade and installation of aircrack-ng command (Figure 5): sudo apt-get update && sudo apt-get install aircrack-ng -y
Fig.3
Connected adapter
5. It should be noted that a very important criterion of network productivity is the signal’s level. If it is below 5-10 gHz [7], a good connection with the network cannot be run and it is not of practical interest. The next step is to look into the encryption algorithm (ENC): • OPN – a network without encryption is of no interest. • WEP – Network with WEP encryption. In fact, such networks are of value for this task. • WPA/WPA2 – Network with WPA/WPA2 encryption, and at the cryptographic techniques to protect data: • WEP – statistically the most used method for securing the wireless network. It provides encryption of all network traffic. It does not have authentication – if you do not know the key, you will not be able to decrypt the data. The disadvantage is a very weak algorithm – the key is cracked by an attacker in less than 5 minutes. • WPA and WPA2 Pre-Shared Key – strong system authentication and data encryption. Access is made through a shared key. The level of protection is the complexity of public key as far as the system is susceptible to brute force attacks. • WPA and WPA2 Enterprise – a variant of the previous system, but the external authenticator 802.1x EAP is used to confirm the identity, which allows the use of certificates, smart cards, etc. [8].
Fig.4
Super user command
Fig.5
Sources updating
3. Type Ifconfig –a to show the network interfaces. The option «-a» shows all interfaces, even disabled interfaces (Figure 6). 4. Get a list of networks, moving the adapter in the monitor mode with the command (Figure 7): airodump -ng wlan0 5. Work of airodump -ng wlan0 command (Figure 8). 6. Open another terminal and start (Figure 9): airodump-ng -c [channel number] --bssid [network mac address, copy from the first terminal] -w output- [name of the file in which we record] [interface on which listen] 7. Press «Enter» after the airodump-ng command and observe the network (Figure 10). 8.In the first terminal put command (Figures 11 and 12), where «-a» is an AP and «-c» is a connected client; «0 1» is a transmission rate: aireplay-ng -0 1 -a [bssid] -c [station] [interface on which listen] Disconnection of a specific customer from the network happens after aireplay -ng command there, and then the client is trying to connect automatically to the network. Client reconnects and produces handshake (Figure 13). Aircrack -ng intercepts both packages from the client to the AP and vice versa (Figure 14). 9. аircrack -ng command produces a selection of passwords from the password dictionary and finds the correct password from the network (Figure 15).
Fig.6
«ifconfig -a» command
Fig.7
Monitor mode
Fig.8
Working in the monitor mode
Fig.9
The syntax of airodump-ng command
Fig.10 Work of airodump-ng command
Fig.11 The syntax of aireplay-ng command
Fig.12 Work of aireplay-ng command
Fig.13 WPA handshake
Fig.14 aircrack-ng command
Fig.15 Found password
IV DISCUSSION The lab work has been carried out on the laboratory benches of one of the AUPET’s departments at the beginning of 2016. Thirty students were selected as the first testers for this work, and according to the results obtained all the participants coped with the task. In their opinion, the work techniques are adequate and the lab work can be included in the collection of compulsory works in the framework of the educational courses for masters such as «Secure Information Systems» and «Objects’ Information Security Maintenance Technologies» as well as in the «Open Systems’ Information Security» course for specialists. As a result of a practical part of lab work inplementation, it is found that WEP is the most favorable protocol for breaking. The maximum time spent on password selection is 14 hours 38 minutes and the minimum time is 3 hours 41 minutes. According to the results of the lab work some recomendations were worked out for those who wish to secure their work with Wi-Fi networks: Do not use WEP, and completely switch to WPA2 and more advanced protocols and corresponding structure. Do not use the minimum acceptable password: the longer the better. Use a unique password with uppercase and lowercase letters. Do not use any dates (for example, all date like DDMMYYYY from 01.01.1950 to 01.01.2010 can be handled in a minute space). Use the SSID Cloaking and MAC Filtering (it will help, but though slightly). V CONCLUSION The lab work described above shows the students how readily their Wi-Fi network can be broken and their personal data can be stolen or compromised. After the lab work they begin to understand that Wi-Fi as a widespread technology requires additional software for a protected installation. They
are trained to use some techniques to counteract the particular attacks. In the future it is planned to add the lab work with a quiz to estimate students’ knowledge and to expand a set of educational tasks. And it is very likely that the lab work will be the basis of a separate educational course on Wi-Fi networks’ security. VI ACKNOWLEDGEMENT This work was supported by Competitiveness Growth Program of the Federal Autonomous Educational Institution of Higher Education National Research Nuclear University MEPhI (Moscow Engineering Physics Institute).
REFERENCES [1]
[2]
[3]
[4]
[5] [6] [7] [8]
Ultimate WiFi Hacking & Security Series. URL: https://www.udemy.com/ultimate-wifi-hacking-security/ (access date 28.04.2016). Learn Wi-Fi Key Penetration Testing (WEP/WPA/WPA2). URL: https://www.udemy.com/learn-cracking-wi-fi-passwordskeyswepwpawpa2/ (access date 28.04.2016). Siringoringo W. "Teaching and Learning Wi-Fi Networking Fundamentals Using Limited Resources". URL: http://www.igiglobal.com/chapter/teaching-learning-networking-fundamentalsusing/30428 (access date 28.04.2016). Wireless Security. URL: http://www.cs.colostate.edu/~massey/ Teaching/cs356/RestrictedAccess/Slides/356lecture29.pdf (access date 28.04.2016). Miller S. “Wi-Fi Security”. 2003. Edney J. “Real 802.11 Security: Wi-Fi Protected Access and 802.11i”. 2003. Geier E. “Wi-Fi Security Myths”. 2015. Information security of open systems. Textbook for educational institutions. Volume 1 – Threats, vulnerabilities, attacks and security approaches / S.V.Zapechnikov, N.G.Miloslavskaya, A.I.Tolstoy,.D.V.Ushakov. Moscow, Goriachaja linia-Telecom, 2006. – 536 p.; Volume 2 – Protection tools in networks Moscow, Goriachaja linia-Telecom. 2008. 558 p. (in Russian)
