WIRELESS NETWORK SECURITY A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF NATURAL AND APPLIED SCIENCES OF ÇANKAYA UNIVERSITY BY ÇA ĞLAR ÜLKÜDERNER IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN COMPUTER ENGINEERING SEPTEMBER 2007 iii iv ABSTRACT WIRELESS NETWORK SECURITY Ülküderner, Ça ğlar M.S.c., Department of Computer Engineering Supervisor : Asst Prof. Dr. Reza Hassanpour SEPTEMBER 2007, 102 pages This thesis includes a comparative study on wireless network security issues. Thesis also introduces a new method using a GSM operator which can control the internet accesses with improved security. By this method, mobile devices without GPRS cards can use internet access services using 802.11x connections and making acceptable investment by GSM operators. Keywords: Wireless Network Security, One Time Password on Wireless Networks v ÖZ KABLOSUZ A Ğ GÜVENL İĞİ Ülküderner, Ça ğlar Yüksek Lisans, Bilgisayar Mühendisli ği Anabilim Dalı Tez Yöneticisi : Yar. Doç. Dr. Reza Hassanpour Eylül 2007, 102 sayfa Bu çalı şma, kablosuz a ğ güvenli ğini incelemektedir. Çalı şma, GSM operatörlerinin, internet eri şim noktalarını nasıl kontrol edebilece ği ve güvenli ği arttırılmı ş yeni bir yöntem içermektedir. Bu yöntem ile mobil araçlar için GPRS kart kullanmadan, 802.11x ba ğlantısı kullanılarak, makul bir yatırımla GSM operatörleri üzerinden internet eri şim hizmeti vermek mümkün olabilir. Anahtar Kelimeler: Kablosuz A ğ Güvenli ği, Kablosuz A ğlarda Tek Kullanımlık ifre vi ACKNOWLEDGMENTS I would like to give my pleasures to my supervisor Asst. Prof. Dr. Reza Hassanpour for his great patience throughout my university life and thesis. Also thanks for the great support to my brother Türker Gülüm. I dedicate this thesis to my mom Gülay Ülküderner. vii TABLE OF CONTENTS STATEMENT OF NON PLAGIARISM..................................................... iii ABSTRACT ............................................................................................. iv ÖZ ............................................................................................................ v ACKNOWLEDGMENTS .......................................................................... vi TABLE OF CONTENTS ......................................................................... vii LIST OF FIGURES...................................................................................x LIST OF TABLES .................................................................................... xi CHAPTERS: 1INTRODUCTION....................................................................................1 1.1Problem Definition and Motivation.......................................................2 1.2 Scope of Thesis .........................................................................2 1.3. Main Challenges ........................................................................3 1.4. Brief Introduction to Methods Used ............................................3 2. FUNDAMENTALS OF WIRELESS NETWORK PROTOCOLS AND SECURITY ISSUES...........................................................................4 2.1. IEEE 802.11 standards ..............................................................5 2.2. Prevalence of Wireless and 802.11............................................7 2.3. General Security Problems on 802.11 .......................................8 2.3.1. EAP-MD5 ............................................................................8 2.3.2. EAP-OTP ..........................................................................10 2.3.3. EAP-GTC..........................................................................10 2.4. Seven Problems on 802.11......................................................10 2.4.1.P ROBLEM #1: EASY ACCESS ..................................................10 2.4.2. Problem #2: "Rogue" Access Points .................................11 viii 2.4.3. Problem #3: Unauthorized Use of Service ........................12 2.4.4. Problem #4: Service and Performance Constraints ..........13 2.4.5. Problem #5: MAC Spoofing and Session Hijacking...........15 2.4.6. Problem #6: Traffic Analysis and Eavesdropping..............16 2.4.7. Problem #7: Higher Level Attacks.....................................17 3.Wi-Fi NETWORK TRAFFIC.................................................................19 3.1. Connection / Access Protocol in Wi-Fi Networks .....................19 3.2. Analyzing Wi-Fi Network Traffic ...............................................20 3.3. Information From All Frames....................................................21 3.4. Information From Data Frames ................................................22 3.5. Information From Management Frames...................................23 3.6. Summary of Wi-Fi traffic...........................................................24 4.WEP Overview ....................................................................................26 4.1. Decrypting data without keys ...................................................29 4.2. WEP IV problems.....................................................................29 4.3. Some attacks ...........................................................................31 4.4. Problems with RC4 ..................................................................34 4.5. Cipher and mode of operation..................................................35 4.6. Session key derivation .............................................................36 5.Wi-Fi PROTECTED ACCESS (WPA)..................................................38 5.1. Background information for WPA.............................................38 5.1.1. WPA-PSK .........................................................................38 5.1.2. Breaking Confidentiality ....................................................38 6.BREAKING THE SECURITY OF WI-FI ...............................................39 6.1. Recovering a Passphrase Seeded WPA Key...........................39 6.2. WI-FI Protected Access (WPA)................................................41 6.3. Software Tools .........................................................................42 6.3.1. KISMET.............................................................................43 6.3.2. TCPDump .........................................................................44 6.3.3. ETHREAL .........................................................................45 6.3.4. Ettercap.............................................................................46 6.3.5. IPTABLES.........................................................................47 ix 6.3.6. HOSTAP ...........................................................................47 6.3.7. WPA Supplicant ................................................................48 6.3.8. MadWiFi............................................................................48 7.GSM LOCATION BASED AUTHENTICATION USING SMS...............49 7.1. Steps Of Authentication............................................................50 8.CONCLUSION.....................................................................................52 REFERENCES...................................................................................... R1 APPENDICESY..................................................................................... A1 A. Acronyms & Abbreviations ...................................................... A1 B. Used Configurations:............................................................... A6 B.1. hostapd.conf .................................................................... A6 B.2. wpa_supplicant.conf......................................................... A3 B.3. wireless_ap configuration shell script............................... A3 B.4. SMS Server-Client Program............................................. A4 B.4.1.corePortAccess.c .................................................... A4 B.4.2.messageSendingCore.c.......................................... A7 B.4.3.zaman.c ................................................................ A19 B.4.4.sms_server.c......................................................... A20 B.4.5.sms_client.c .......................................................... A26 B.4.6.Makefile................................................................. A29 B.4.7.SMSd .................................................................... A30 x LIST OF FIGURES Figure 1 Simple Working Diagram............................................................4 Figure 2 Eap-Md5 Choreography .............................................................9 Figure 3 The Protocols Of Connecting To A Wi-Fi Network. ..................19 Figure 4 Mac Frame Format...................................................................20 Figure 5 Frame Control Field..................................................................21 Figure 6 Capability Field Of The Beacon Frame.....................................23 Figure 7 Kismet Screen Shot..................................................................43 Figure 8 Ethreal Screen Shot .................................................................45 Figure 10 Gsm Location Based Authentication Using Sms ....................50 xi LIST OF TABLES Table 1 Information Available From An Analysis Of Wi-Fi Frames.........24 xii CHAPTER 1 INTRODUCTION There are many authentication techniques for wireless networks. Some of these techniques can be easily cracked by hackers yet others can be cracked by pattern matching, brute force attacks and