Security Issues in the 802.11

Created by :-SHROBON BISWAS

Operating Frequencies WLans operate in 3 different frequency ranges.● 2.4 Ghz (802.11 b/g/n)● 3.6 Ghz (802.11 y)● 4.9/5.0 Ghz ( 802.11 a/h/j/n)

Each of these ranges are divided into multiple channels. ( channel 1,2, 3 ,...... 14 for 802.11 b/g/n)

Our Wifi Card can be set into one particular channel , at an instance of time.

Know The Terminology BSSID - Basic Service Set IdentifierESSID - Extended Service Set Identifier STA - Station / Wireless clientAP - Access Point (Wireless Modem)Beacon- Broadcasting self existanceProbe - Hello ! anybody there ??PNL - Preferred Network List

Different Modes of the NIC● Monitor mode - Receive all packets , whether the packets are destined to us

or not.

● AdHoc Mode - Peer to Peer connection with no centralised AP.

● Managed mode - Client connects to a particular AP and once connection is

made, client cannot communicate with other clients.

● Master mode - a wireless card can only communicate with with connected

clients in master mode .

** For our discussion , we will be focussing only on the monitor mode .

Connection Process 1. Lonely AP keeps Broadcasting its presence.(keeps sending beacon frames out into the air)2. Client laptop sends probe requests to the AP’s available nearby . Hey brother are you there ?? ( sends probe request)3. AP Sends the client a Probe response saying. Yes bro , i am right here .4. Client now sends an Authentication Request.Can i use your internet ?5. AP sends Authentication response saying Yes you can. 6. Client now asks are you sure ? sends Association Request .7. AP says YES bro i am sure .. sends an Association Response 8. DeAuth Packets are send to close the connection .

AP-STA State Machine [1]

Protect Unauthorized accessMethods :1. HIDDEN SSID : LAME !! LAME !! 2. MAC FILTERING : SHAME SHAME !! [2]

3. WEP encryption : SKA 64/128 bit WEP , Blunder !4. WPA - TKIP , Moderate security 5. WPA2 - CCMP , Does little better than WPA2

** None of the Security methods mentioned are fullproof due to the lack of robustness of the 802.11.

WLAN Packet Headers [3]

Understanding DoS Attack[4]

It’s Demo Time

What’s in the menu ? ★ Channel Hopping ★ Packets !! ( not food packets ) ★ Unhiding Hidden SSID★ Denial of Service (DoS Attack)★ Shattering MAC Filtering / Binding★ Basics of Honeypot / Evil Twin & Other Hotspot Based

Attacks + Isolated Clients + Gratituous ARP★ The Famous MITM

Links and References[1] Access Point and Station state machine : cecs.wright.edu[2] Intercepting Mobile Communications: The Insecurity of 802.11 : Nikita Borisov ,Ian Goldberg ,David Wagner[3] Wlan Packet Headers : www.wildpackets.com[4] Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks : Kemal Bicakci , Bulent Tavli b (This paper just states a possibility and not the working infrastructure and proof )(Deals With MAC address Spoofing detection --- Used in WIDS and WIPS today )[5] Study of DoS Attacks on IEEE 802.11 WLAN and its Prevention/Detection Techniques Nisha Sharma, Paras Nath Barwal CDAC Noida