1.
Attack and Defense in Wireless
Networks
Presented by Aleksandr Doronin

2.
What is WEP ?
• Wireless connections need to be secured since the
intruders should not be allowed to access, read and
modify the network traffic.
• Mobile systems should be connected at the same
time.
• Algorithm is required which provides a high level of
security as provided by the physical wired networks.
• Protect wireless communication from eavesdropping,
prevent unauthorized access.

3.
Security Goals of WEP:
• Access Control
 Ensure that your wireless infrastructure is not
used.
• Data Integrity
 Ensure that your data packets are not modified in
transit.
• Confidentiality
 Ensure that contents of your wireless traffic is not
leaked.

4.
Understanding WEP
• WEP relies on a secret key which is shared between
the sender (mobile station) and the receiver (access
point).
• Secret Key : packets are encrypted using the secret
key before they are transmitted.
• Integrity Check : it is used to ensure that packets are
not modified in transit

5.
Understanding WEP contd…
• To send a message to M:
– Compute the checksum c(M). Checksum does not
depend on the secret key ‘k’.
– Pick a IV ‘v’ and generate a key stream RC4(v,k).
– XOR <M,c(M)> with the key stream to get the
cipher text.
– Transmit ‘v’ and the cipher text over a radio link.

6.
How WEP Works
Key Stream = RC4(v,k)
Message CRC
Transmitted Data
XOR
Cipher Text
V
Plain Text

7.
How WEP works ?
• WEP uses RC4 encryption algorithm known as
“stream cipher” to protect the confidentiality of its
data.
• Stream cipher operates by expanding a short key into
an infinite pseudo-random key stream.
• Sender XOR’s the key stream with plaintext to
produce cipher text.
• Receiver has the copy of the same key, and uses it to
generate an identical key stream.
• XORing the key stream with the cipher text yields the
original message.

8.
Attack types
• Passive Attacks
– To decrypt the traffic based on statistical analysis
(Statistical Attack)
• Active Attacks
– To inject new traffic from authorized mobile stations,
based on known plaintext.
• Active Attacks
– To decrypt the traffic based on tricking the access point
• Dictionary Attacks
– Allow real time automated decryption of all traffic.

9.
Wireless Networks and Security
1) What are Wireless Networks?
• A wireless network is the way that a computer is connected
to a router without a physical link.
2) Why do we need?
• Facilitates mobility – You can use lengthy wires instead, but
someone might trip over them.
3) Why security?
• Attacker may hack a victim’s personal computer and steal
private data or may perform some illegal activities or crimes
using the victim’s machine and ID. Also there's a possibility to
read wirelessly transferred data (by using sniffers)

10.
Wireless Networks and Security
Three security approaches:
1. WEP (Wired Equivalent Privacy)
2. WPA (Wi-Fi Protected Access)
3. WPA2 (Wi-Fi Protected Access, Version 2)
WPA also has two generations named Enterprise and Personal.

11.
WEP (Wired Equivalent Privacy)
• Encryption:
– 40 / 64 bits
– 104 / 128 bits
24 bits are used for IV (Initialization vector)
• Passphrase:
– Key 1-4
– Each WEP key can consist of the letters "A" through "F" and the
numbers "0" through "9". It should be 10 hex or 5 ASCII characters in
length for 40/64-bit encryption and 26 hex or 13 ASCII characters in
length for 104/128-bit encryption.

12.
WPA/WPA2 Personal
• Encryption:
– TKIP
– AES
• Pre-Shared Key:
– A key of 8-63 characters
• Key Renewal:
– You can choose a Key Renewal period, which instructs the device how
often it should change encryption keys. The default is 3600 seconds

13.
Attacking WEP
• iwconfig – a tool for configuring wireless adapters. You can
use this to ensure that your wireless adapter is in “monitor”
mode which is essential to sending fake ARP (Address
Resolution Protocol) requests to the target router
• macchanger – a tool that allows you to view and/or spoof
(fake) your MAC address
• airmon – a tool that can help you set your wireless adapter
into monitor mode (rfmon)
• airodump – a tool for capturing packets from a wireless router
(otherwise known as an AP)
• aireplay – a tool for forging ARP requests
• aircrack – a tool for decrypting WEP keys

14.
How to defend when using WEP
• Use longer WEP encryption keys, which makes the data analysis task more
difficult. If your WLAN equipment supports 128-bit WEP keys.
• Change your WEP keys frequently. There are devices that support
"dynamic WEP" which is off the standard but allows different WEP keys to
be assigned to each user.
• Use a VPN for any protocol, including WEP, that may include sensitive
information.
• Implement a different technique for encrypting traffic, such as IPSec over
wireless. To do this, you will probably need to install IPsec software on
each wireless client, install an IPSec server in your wired network, and use
a VLAN to the access points to the IPSec server.

15.
How to defend when using WPA
• Passphrases – the only way to crack WPA is to sniff the
password PMK associated with the handshake authentication
process, and if this password is extremely complicated it will
be almost impossible to crack
• Passphrase Complexity – select a random passphrase that is
not made up of dictionary words. Select a complex passphrase
of a minimum of 20 characters in length and change it at
regular intervals

16.
Common defense techniques
• Change router default user name and password
• Change the internal IP subnet if possible
• Change default name and hide broadcasting of the SSID
(Service Set Identifier)
• None of the attack methods are faster or effective when a
larger passphrase is used.
• Restrict access to your wireless network by filtering access
based on the MAC (Media Access Code) addresses
• Use Encryption

17.
Summary
• Change all possible default router settings
• Use encryption (WPA/WPA2)
• Use long and complex keys/passphrases