Penetration Testing in Wireless Networks: Shree Krishna Lamichhane
Penetration Testing in Wireless Networks: Shree Krishna Lamichhane
Penetration Testing in Wireless Networks: Shree Krishna Lamichhane
Date 28.11.2016
Abstract
This thesis illustrates the security measures and mechanisms behind the encryption and
decryption of data while transmitting data in a wireless network. Furthermore, this thesis
describes and demonstrates several security threats in a wireless network that are widely
experienced. It also explains shortly the evolution of the widely implemented IEEE 802.11
standard and its amendments.
Kali Linux tools were used to perform a penetration test in a WPA secured test network. In-
formation on the target network was gathered and monitored and after a vulnerability analy-
sis attacking and cracking tools from Kali Linux were used in to order to penetrate the test
network. After a series of tests and attacks, the security measures of the network were by-
passed and confidential information on the network was successfully stolen.
This thesis has demonstrated how a WPA secured network can be cracked simply with the
help of Kali tools. The results and operational understanding of the WPA secured network
can be useful in further revealing vulnerabilities within wireless networks to help make them
safer.
1 Introduction 1
2 IEEE 802.11 3
3 Bluetooth 21
4 Penetration Testing 25
5 Wireshark 32
5.1 Introduction 32
5.2 Installation 33
6 Kali Linux 34
6.1 Installation 35
6.2 Hardware and Software 35
6.3 Testing 36
7.1 Tools 36
7.2 Monitoring 36
7.3 Gathering Information 37
7.4 Attacking 38
7.5 Testing and Cracking 39
8 Summary 42
References 43
ABBREVIATIONS
1
Penetration Testing is a means of pursuing access over resources prior to the
knowledge of the means of access such as username or password. It is an attack on
the system to check any possible vulnerability in the system. A penetration test also
evaluates the security level of the system by safely injecting various exploitations. The
bottom-line that distinguishes a penetration tester from a hacker is the permission. Eve-
ry tester has to have a permission from the proprietor of the resources which is being
penetrated and reporting of the task has to be submitted at the end. Such a penetration
test helps the organisation build a more secure and reliable system and hence increase
security levels from any possible attackers. The main goal of this thesis is to execute
a series of penetration tests in a test WLAN in order to determine the security level of
the test network. This test will be accomplished using Kali Linux tools and the results
will be analysed by Wireshark.
2
2 IEEE 802.11
IEEE 802.11 is one of the main standards in wireless networking. By the early 1990s,
there had already been rapid growth in the need of networking standards in business,
education, health, communication, and transport among others. In 1997, this finally
rooted the 802.11 Standards. IEEE 802.11 is capable of carrying large dimension of
radio transmission banking on equipment and setup. The standard is mainly used to
design a large network.
The expansion of WLAN has come across several pivotal stages. Among them, ALO-
HAN NET Research carried out in 1971 by the University of Hawaii is considered a
milestone in the development of wireless technologies. The project successfully con-
nected seven campuses over four different islands wirelessly within a same central
computer using star topology [389, 1].
Figure 1 illustrates the increment in the implementations of each of the major sub-
standards from 2000 to 2016. It shows clearly that 802.11n is the most popular and
largely accepted standard.
IEEE 802.11 was principally urged to satisfy the networking needs at homes and offic-
es. However, it was constricted to just 2mbps of data transfer rate and thus soon a
need for new standards emerged. As a result, by now we have several extensions of
3
the standards and a few still to come. These extensions basically differ from each other
on their frequencies, bandwidth, data rate and range of coverage. These networking
standards work at different bands across the wireless spectrum and they define the
category of data that can be transferred over such networks.
All these extensions have their own characteristic header types [4, 1]. Figure 2 shows
the evolution of the 802.11 Standard.
The above Figure illustrates the technical specifications and technologies used during
the evolution of the 802.11 standards over time. As shown in Figure 2, the latest ver-
sions 802.11ad and 802.11ac are among the fastest wireless network protocols.
4
2.1.1 802.11b
This standard was defined in 1999 and is commonly known as Wi-Fi. As can be seen in
Table 1, 802.11b has a band-width of 22MHz which acts at a frequency of 2.4 GHz. It
is compatible to operate with 802.11 as it uses an identical media access method des-
ignated by the original standard. With a range of up to 150 feet, it is the most familiar
standard in use today. It is less prone to Multipath-propagation interference and allows
up to 11Mbps of data transmission. This standard modulates using Direct-sequence
spread spectrum (DSSS) modulation which redundantly dispatches data over a much
bigger Frequency band than actually necessary, along with a pre-defined chipping
code that is helpful in reconstructing any data that adrift in translation. Table 1 summa-
rises the key features of 802.11b standards, the oldest 802.11 protocol.
As Table 1 indicates, 802.11b has very slow data transfer rate and coverage range.
5
iii. Security and performance and Scarcity of interoperability with speech
devices
iv. Shortcoming on QoS provisions in multimedia content
Apple computer initiated the first comprehensive use of this standard under the trade-
mark called ‘Airport’. It uses Wired Equivalent Security (WEP), MAC filtering, SSID hid-
ing as security measures.
2.1.2 802.11a
The modification to the initial standards was endorsed in 1999 using the original core
protocol but to operate in higher frequency of 5 GHz. It was amended to ensure a high
performance level ensuring higher data rate up to 54 Mbps using 52-subcarrier Or-
thogonal Frequency Division Multiplexing (OFDM) [5]. Despite the higher data rate, it is
limited to industrial use only as it made the chips more costly. The overall spectrum of
802.11a is even lower than 802.11b/g. Most of its signals are captivated promptly by
walls and other solid barricades because of its modest wavelengths. In practice, it has
been detected in any WLAN that if the data rate is lower, the coverage strength is
higher. Table 2 explains the 802.11a standard in brief.
It is clear from the Table above that the data transfer rate is higher than the old version.
Still, the connection range is the same, i.e. ~30.
6
ii. Higher Data Rate
It is applied mostly in Wireless ATM Systems and also in hubs and it is more accepta-
ble for short range connections ranging between 25 to 35 meters.
2.1.3 802.11g
The third modulation to the initial standard, as seen in Table 3, was ratified on June
2003 using 2,4GHz band with a width channel of 83.5MHz that is capable enough to
produce a data rate of 54MBps with a range of 100-150 feet. This modulation was
made fully compatible with 802.11b and uses the same frequencies. It was immediately
implemented in the market. It allowed dual-band 802.11a/b application supportive to tri-
band a/b/g. Its background compatibility dragged lots of manufacturers to adopt this
standard in their products.
7
As illustrated in Table 3, the data transfer rate and coverage range in 802.11g standard
is improved as compared to the older versions and an upgrade in the modulation has
been introduced.
802.11g came with several amendments and several advantages over earlier stand-
ards, which include:
i. Extensively Implemented
ii. High Data Transmission Rate
iii. Background Compatible
iv. Wide Frequency Spectrum
Airport Extreme by Apple and Linksys by Cisco are among the first major manufacturer
to adopt this new technology. Cisco has also offered their own mobile adaptors called
Aironet based on 802.11g.
2.1.4 802.11n
802.11n is one of the latest modifications to the original standard released in October
2009 which came with the feature of multiple-input multiple-output (MIMO) antennas. It
has made data transmission possible up to a maximum speed of 600MBps. Table 4
explains key specifications of the 802.11n standards.
8
It is clearly noticeable in the table that the data transfer rate has increased significantly
covering a much bigger range.
802.11n is designed to enhance the performance and security level, which have vari-
ous advantages over earlier versions of the standard, including:
2.1.5 802.11ac
The new precision to the original standard was released in December 2013. Theoreti-
cally, it is capable of yielding 6,933MBps in its eight 160MHz 256-QAM channels with a
frequency of 5GHz. 802.11ac is backwards compatible with all the previous standards.
So far in real implementation, data rate has been noted up to 720MBps [8]. However,
The higher the bands, The lower the range and vice-versa. The key features of the
standard are summarized in Table 5.
IEEE 802.11ac Specifications
PARAMETER VALUE
Date of approval Dec 2013
Data Rate (Mbps) ~7GBps
Range (Metre) ~35
Modulation MIMO-OFDM
RF Band (GHz) 5
Channel Width (MHz) 20/40/80/160
Table 5. Arbitrary of 802.11ac Standards
9
From Table 5, it is clear that 802.11ac allows one of the fastest data transfer rate so far
but the coverage range is quite small compared to that of 802.11n.
Expensive Implementation, and currently only on premium devices, are some of its
major drawbacks.
These individual ranges are further divided to several multitudes. For every
802.11b/g/n networks of 2.4GHz band, signals can transmit in fourteen possible chan-
nels [9].
10
All these channels are not allowed globally, but every country has their own regulations
for implementations of such channels. Figure 3 shows all fourteen available channels
of 2.4GHz.
Figure 3 shows clearly that, except for channels 1, 6 and 11, all remaining channels are
overlapping channels.
Most of these Wi-Fi channels are separated from each other by a gap of 5MHz except
the last two channels. This leaves only three non-overlapping channels: Channels 1, 6
and 11. These channels can be used for WLAN equipment that only works over non-
interfering channels. Despite having fourteen possible channels for wireless network-
ing, all these channels are not permitted for real life implementations. Every local au-
thority has some restrictions over their uses. The table below displays the availability of
that Wi-Fi in different parts of the world.
11
CHANNELS EUROPE NORTH AMERICA JAPAN
(ETSI) (FCC)
1 YES YES YES
2 YES YES YES
3 YES YES YES
4 YES YES YES
5 YES YES YES
6 YES YES YES
7 YES YES YES
8 YES YES YES
9 YES YES YES
10 YES YES YES
11 YES YES YES
12 YES NO YES
13 YES NO YES
14 NO NO ONLY 802.11b
Table 7. Channels availability in different regions. Extracted from [7]
As Table 7 shows , in most parts of the world the channels from 1 to 11 are made
available for public use while the rest have some legal barrier. IEEE has documented
two frequency bands: 3.6GHz and 4.9GHz under special license and mostly used in
the United States. The implementation of these bands is mainly in public safety sectors
and also for equipment that requires a higher data transmission rate.
The 802.11y standard is using these frequency bands for such purposes. 802.11a/n/ac
is designed to transmit signal in 5GHz bands. It allows the possibility of twenty-five
channels each with 20MHz bandwidth while designing a Wi-Fi Network. Having more
channels available than that of 2.4GHz, it allows wider room for creating the wireless
network and with less interferences.
12
Figure 4 shows the UNII bands of 5GHz band used by 802.11y standards
The European Union Standard EN 301 893 has been mandatorily enacted from 1 Jan-
uary 2015 for usability of these channels. EU has their common regulations on the
harmonised implementations of 5GHz frequency band and a standard was set on 11
July 2005, called 2005/513/EC [11]. Germany has quickly adopted the concept and has
enacted regulations over the use of bands ranging from 5.250-5.350 GHz and 5.470-
5.725GHz. Likewise, Austria has directly adopted the enactment into their national law.
In the U.S, there is a separate provision for the implementation of 5.250-5.350GHz and
5.470-5.725 bands which has forced operators to employ Transmit Power Control
(TPC) and Dynamic Frequency Selection (DFS). It is hence helpful in avoiding all pos-
sible military applications and TDWR. Among the several amendments to 802.11,
802.11p also called Wireless Access in Vehicular Environments (WAVE) is one of the
recent standards introduced on 15 July 2010 but hardly implemented. There is also a
60 GHz ISM band operating under 802.11ad and 900MHz operating under 802.11ah
as sub-gigahertz bands.
13
2.3 Headers and Frame
Every data transmitted over a wireless network follows a standard pattern consisting of
separate headers. The 802.11 frame, shown in Table 8, consists of various information
and can be fragmented as:
The elements shown in Table 8 while transmitting over wireless network are explained
below.
Frame Control occupies 2 bytes of space and its sub-fields occupy a further 16 bits.
Frame Control is responsible for the control of entire data packets while transmitting
over the wireless network.
Duration/ID also consists of 2 bytes and is mainly responsible for allocating network
vector. It sets minimum waiting time before the data is transmitted over the network
and also saves power consumption.
Address 1/2/3/4 occupy total space of up to 6 bytes depending upon the type of the
frame. Its main building blocks are Access Point’s MAC address, Transmitter Address,
Receiver Address, Receiver Address, Source Address and Destination Address.
Sequence Control occupies 2 bytes of space and can be further divide into Sequence
number and Fragment number.
Frame Body occupies space up to 2312 bytes that depends upon the size of the data
transmitted.
FCS or Frame Check Sequence occupies a total of 4 bytes and it is responsible for
indicating the checksum of the whole data header and frame. It relies on Cyclic-
Redundancy check.
14
2.4 Security
There has been drastic advancement in the field of networking and wireless technolo-
gies. We are surrounded by wireless devices all-round. No matter how good a system
we have been building, it is worthless unless we are able to make it reliable and secure
enough to practice in daily life. A reliable wireless technology has to be capable
enough to prevent every unauthorized access request so as to prevent any valuable
information in it. The building blocks of a secured communications must ensure integri-
ty, confidentiality and availability. Modern day security issues can be categorised under
four major threats: Interception, Interruption, Modification and Fabrication.
The most popular Wi-Fi security threats have been illustrated in Figure 5.
Data
Interception
Wireless Denial of
Phising Services
Evil Twin
Rogue APs
APs
Security
Threats
Wireless
Endpoint Intruders
Attacks
Misconfigured
Misbehaving APs
Clients Ad Hocs
and Soft
APs
As shown in Figure 5, present day security threats over wireless networks are many.
Wireless security has been very challenging over recent years with more techniques
and exploits being published over the internet. Unauthorized accesses to the WPA to
capturing data from the air are among very common security threats.
15
These day, even encrypted data can be captured more easily than ever just by sniffing
to Eavesdrop. All these scenarios have made powerful encryption a vital tool to act
against intruders. This prevents data from being stolen while transmitting over the web.
Information can be encrypted while transmitted and decrypted once received by two
key elements: Symmetric Key Algorithm and Public Key Algorithm.
This method of encryptions, shown in Figure 6, uses identical key for cryptography for
both encryption as a plaintext and decryption as a Cipher text.
This key has to remain secret between the parties involved in the sharing of the infor-
mation. There is a basic algorithm for such encryption:
E: K*M → C, where
E= Encryption algorithm
K= Secret Key
M= Message transmitted
Such that
Ek: M → C, m → E (k, m); for every k ∈ K
Figure 6 explains the phases of Symmetric Encryption Algorithm, where encrypted ci-
phertext is transmitted over the network after decryption, the output is the plaintext.
This type of encryption method allows secrecy of information but lacks integrity and
certification over sharing. This method can be segmented as:
Stream Ciphers: It encrypts every bits of the message as a single output one at a
time.
16
Block Ciphers: It combines number of messages at a time and encrypts them as one
unit before transmission.
Public Key algorithm, illustrated in Figure 7, is such a system of encryption where two
separate cryptographic keys are used. A public key is assigned to verify the digital cer-
tification or to encrypt plain text and private key is assigned to create digital certification
or decrypt cipher key. Both these keys are mathematically related to each other.
An encryption is written as;
C → K [P]
17
Figure 7 explains the phases of Public Key Algorithm, where encrypted cipher text is
transmitted over the network after decryption, the output is the plaintext.
The most popular public key encryption is RSA Public Key Encryption, which was pro-
posed in 1977 soon after Diffie and Hellman had rooted the idea of this encryption.
With such wide use of the wireless system in our daily life, there are always higher se-
curity risks of data being sniffed and injected. Thus there are several security measures
currently in use to avoid such intruders.
The WEP security algorithm has been introduced as a security measure along with the
802-11 in 1997. It was encrypted with 10 to 26 hexadecimal digits. This system was
supposedly capable enough to provide confidentiality of data when carried out in a
wireless network compared to the traditional wired network.
This system mainly works in two main parameters
i. WEP Key
ii. Initialization Vector
Data carried over WEP uses Real Encryption Algorithm (RC4) for security. This Algo-
rithm initiates a Key-Stream and it is included with the original message and such ci-
pher text is then transmitted over the network. The keys used in WEP are hexadecimal
sequence of values and the length of such keys depends on the form of WEP standard
implemented in the network.
i. 64-bit WEP (10-digit key)
ii. 128-bit WEP (26-digit key)
iii. 256-bit WEP (58-digit key)
18
Figure 8. WEP Encryption. Copied from [13]
Figure 8 illustrates the use of the RC4 algorithm in WEP encryption for data security.
However, the WEP security protocol has several security drawbacks. It was discovered
that the data sent over the networks secured by WEP encryption can be penetrated
with a simple tool and technique available over the internet. As a result, it soon became
unpopular among the users. Major drawbacks of WEP encryption can be illustrated as:
The WEP security algorithm gives very limited security to unauthorized access and its
security measures can be easily bypassed.
WPA is an improved standard designed by Wi-Fi Alliance to fulfil the voids and security
flaws in the WEP security standard in 2003. Its sophisticated Encryption techniques
and user authentications have quickly made it possible to replace the existing WEP
protocol. WPA relies on Temporal Key Integrity Protocol (TKIP) for the encryption of
the message transmitted over networks. It automatically regenerates a 128-bit authen-
19
tication key for every packet transmitted over and prevents any unauthorized access
and eavesdroppers. The major advantages of TKIP over WEP are:
2.4.5 WPA 2
This standard was implemented on 24 June 2004. It’s a promising security solution for
every 802.11 network capable enough to tackle most of the security voids in the earlier
standards. It relies on TKIP and RC4. Michael Message Integrity Check is used for
message integrity. It has also strong authentication for the users based on 802.1x EAP
and PPK. It supports EAP, Radius, EAP -TLS and Pre-shared keys. Figure 9 shows the
evolution of Wi-Fi security protocol with their security levels.
Figure 9 shows clearly that WEP has a poor security level and data safety is unreliable
while WPA and WPA 2 allow more secure data transmission over wireless networks.
20
3 Bluetooth
Bluetooth is a global protocol used for short range connectivity of wireless devices. Its
operation ISM band range lies between 2.4 -2.485 GHz with the frequency hopping
1600 hops every second. Bluetooth works on the principle of short wavelength. The
Bluetooth protocol was developed by the giant Swedish phone maker Ericsson in 1994
and named after King Harald Bluetooth, reigning in the 10th Century. The standard is
maintained and regulated by Bluetooth Special Interest Group (SIG). This wireless
technology works perfectly within the range of 10m, with a data transfer rate of up to
720Kbps. However, it has no fixed range, some devices are working within 100 m and
it can be further extended using special antennas [16].
Wireless Headsets, remotely connected to mobile devices can make phone calls using
Bluetooth. Cordless connections of mouse, printers, keyboards and wireless MP3
Player are some of the most beneficial aspects by this technology. Besides, this speci-
fication is widely used in sharing data.
Every Bluetooth device is nearly capable to connect with each other. Such pairing re-
quires a pre-shared key for the authentication of the pairing. Every Bluetooth device
comes with their unique identifier (48 bit) that works as a MAC address. However, such
pairing is quite vulnerable and can be penetrated.
During a pairing process, Bluetooth devices virtualize a very small net called Piconet
that is comprised of one master and seven different operating slaves. Having very slim
chances of two devices using same frequency, Bluetooth has almost zero interference.
The detailed process involved in establishing a connection and sharing of data has
been synchronised in Figure 10 below.
21
Enter Pin Enter Pin
Master Slave
Figure 10. Bluetooth sharing Process
As indicated in Figure 10, the sharing of encrypted data via Bluetooth starts with creat-
ing an authentication key and then creating the link between the devices. Such data is
decrypted with the help of a pre-shared authenticated key.
The SIG has set a designated layer of functionality for the Bluetooth Protocol that in-
sures interoperability for every Bluetooth device. This allows developers to build a uni-
versal Bluetooth application whose hardware as well as software is capable of interop-
22
erating with every other Bluetooth device. Figure 11 shows the protocol stack of Blue-
tooth devices.
LMP sets a standard of baseband packet sizes and encryption and authentication.
L2CAP provides Connection-oriented and connectionless services. And lastly, SDP
setup the connection between the sharing Bluetooth devices [16].
23
3.2 Security
BlueSmack: BlueSmack attack was originally initiated in the early Windows version
(Microsoft Window 95) and later on transformed to attack Bluetooth devices. It instantly
knocks out targeted devices. This attack is executed on L2CAP layer.
Bluetooth Attacks and exploitation depends on the permission request and authentica-
tion process during the connectivity. Despite having numerous ways to prevent Blue-
tooth hacking, the best way to prevent it from happening is turning it off when not in
use.
24
4 Penetration Testing
Level 1: Footprinting
The first level of information gathering deals with extracting target information and
range of the target network. It is a way of passively gathering privileged information
about the target network. This level of information gathering extracts data mainly in the
form of click-button with automated tools. It is appropriate in meeting the compliance
requirements for the penetration. Social engineering techniques could also offer lots of
information in Footprinting. Some popular tools for Footprinting include Whois,
NsLookup, smartWhois and Sam Spade [26].
25
Level 2: Scanning
Scanning is the process of obtaining more privileged information about the target net-
work such as open ports and active applications. Scanning of the target network can be
done utilising automated tools with the help of findings from Level 1. This level requires
good information of the Infrastructure to be penetrated, its physical location, organisa-
tional behaviours and relationship. This will allow the tester to gain information on their
security strategy. Some popular tools for network scanning are NMap, Traceroute,
Ping, Netcat and so on.
Level 3: Enumerating
Enumerating is the advance level of Information Gathering and requires broad under-
standing of the organisational behaviours, deep analysis of the reconnaissance scan,
and hours of collection and correlation of information. All the information gathered from
level 1 and 2 has to be well examined before performing level 3 tests. In this phase, the
main idea is to identify authentic users, badly protected resources, vulnerable accounts
and initiating null sessions. Such a test gives a clear picture on the security level of the
target network and helps to set suitable exploitations.
Threat Modelling doesn’t necessarily require any fixed standards. However, there has
to be some consistent terms for threats representations, their qualities and capabilities
and future applicability analysis. The whole process of threat modelling comprises of
two main key aspects: assets and attacker.
The main goal of threat modelling is to find out any hidden security vulnerability in a
system and analysing those flaws in order to make a secure system and a roadmap for
future work. It is very powerful engineering since it targets on actual threats rather than
just vulnerabilities. It wipes out possibilities of any external event that could compro-
mise the assets and help make a risk-free system. This model helps the developer
team to facilitate potential harms and attacks. It helps in focusing on the actual security
flaws and their viable solutions. Furthermore, developers can realise the possible vec-
tors of attacks and penetration. Hence it helps rebuild a risk free solution. Figure 12
shows the basics of threats modelling and its analysis.
26
Figure 12. Threat Modelling and Analysis. Copied from [22]
The whole modelling process has to be clearly documented and should be presented
to the authority once the test is completed. There are three main approaches of the
modelling.
Attacker-centric: This approach begins with an attacker. The goals of such attack and
every possible route of attacks are analysed beforehand.
Asset-centric: It includes approaches of modelling starting from the asset itself. Such
assets have to be entrusted by a system. Any information including sensitive personal
information is of higher importance.
27
Identify Security Objectives
Identify Threats
Identify Vulnerabilities
Repeat
28
Figure 14 shows different components of vulnerability scanner.
Scan Engine
After the analysis, any flaws discovered have to be disclosed. Such analysis paves the
roadmap for the future development of the secure system.
4.4 Exploitation
The main focus of exploitation in a system is entirely targeted on gaining access over
the system by passing the security restrictions. The phase is entirely related to the ear-
lier phase of vulnerability analysis. Once the exploitation is done successfully, there
should have been an accurate attack vector planned to penetrate targeted assets.
Once the suitable exploits have been deployed and the system been penetrated, it
should overcome security measures initially designed for the system.
Successful exploitation of the system helps build countermeasures to avoid future un-
authorised exploitation. Such measures may include anti-virus, encoding, packing, en-
cryption, whitelist Bybass, and Process injections and so on.
29
4.5 Post Exploitation
The main idea behind this phase is to identify and protect the information in the system
being tested. It helps the tester and the owner maintain control over sensitiveness of
the information within the system and maintain its usefulness. Identification and docu-
mentation of the sensitive information, its configuration and communicating channels
are described in this phase. There are certain rules of engagement to be followed in
the phase in order to protect both the tester and the owner:
Once the exploitation has been successfully carried out on a system, the results of
such exploitation are to be well-documented and used in a report. Most likely, it should
include the modifications and impacts in the system after exploitation.
4.6 Reporting
Reporting is the crucial phase of the whole operation and must include every detail of
the procedure and the findings to the intended audience. A report should include back-
ground of the test, every detail of the procedures and the methodology used.
After a successful penetration test, the security flaws have to be classified on the basis
of their severity, from low to extreme. The report should include every technical detail
such as scope and information, attack vectors, impact and possible overcome
measures. Depending upon the client’s requirement, a report can be publicly published
or kept confidential. Overall, the test result should support the client’s security posture.
30
Figure 15 shows the sections of technical report writing.
Contact Information
Testing Assets
Objectives
Scope
Strength
Approach
Threats
A well-documented report not only highlights the security flaws in the system but also
help sort out countermeasures. The report has to be ended with a positive note and
guidelines to increase the security measures of the system.
31
5 Wireshark
5.1 Introduction
Wireshark is one of the most powerful and universally implemented network packet
analyser. This tool captures all the network packets (in and out of the system) and dis-
plays details of such packets. It is an open source tool released by a global team of
protocol experts in May 2006 and is available for most of the computing platforms:
Windows, Linux, OS X and UNIX.
Wireshark is a cross-platform tool that uses the QT widget toolkit and pcap for captur-
ing packets. It has also a non GUI version called Tshark. It supports hundreds of media
and protocols. Figure 16 shows the UI of Wireshark for Linux.
Figure.16. UI of Wireshark.
This tool can be efficiently used to troubleshoot network problems, examine security
threats and also as a debugger by developers. However, it doesn't assess intrusion
detection and doesn't manipulate the network.
32
Some of the popular devices compatible with Wireshark include IEEE 802.11, Token-
Ring, Ethernet, ATM connections, Serial (PPP/SLIP) and Linux based devices (by lib-
cap). Wireshark not only captures live packets from the network but it can also import
and export files from several different capture programmes.
5.2 Installation
Wireshark is a free and an open source programme. It is available for all popular oper-
ating system (Windows, IOS and Linux). It is easy to install. For the purpose of pene-
tration testing in this project, Wireshark has been installed in an Ubuntu OS. Figure 17
shows the installation process of Wireshark in an Ubuntu Operating System.
33
6 Kali Linux
Kali Linux is one the most popular and globally acknowledged tools for penetration test-
ing of a network and its digital forensics. It is maintained by Offensive Security Ltd. It
belongs to the Unix-like OS family and the Kernel type is Monolithic Kernel. It has a
range of working platforms: x86, x86-64, armhf and armel are among them. It compris-
es around 300 penetrating tools.
Kali has been completely rebuilt and revised from Back-Track Linux in a Debian stand-
ard with all new and revised packages of testing and penetrating tools.
34
6.1 Installation
The installation of Kali Linux is a very easy process. The free version is available from
the official website of Offensive Security, https://www.kali.org/downloads/. For this pro-
ject, Kali tools were ran through a USB Drive. Figure 18 shows the user-interface of
Kali Linux.
The installation process is very simple and does not need any explanation, so it has
been excluded here.
For the installation of Kali Tools, compatible hardware is essential. The minimum re-
quired hardware for the installation of Kali Linux includes:
i. Minimum 10GB free Space
ii. 512 MB RAM for i386/amd64 architectures
iii. USB boot/CD-DVD Drive support
However, the better the hardware the better the performance. Kali Tools can also be
installed in Windows and MAC hardware.
35
6.3 Testing
The testing of vulnerability in 802.11 will be carried out in Section 7. For that purpose
the Aircrack Tool of Kali will be used. The WPA secured network is chosen and with
the help of Aircrack tool, WPA handshake will be stolen and the crack tool will attempt
to decrypt the encrypted key. This handshake contains classified information of the
network and has been encrypted. The main idea behind stealing this handshake is to
steal such classified information in the form of authentication key and decrypt it.
7.1 Tools
In order to crack down a WPA secured network, the Aircrack tool from Kali Linux is
used. This tool is capable of cracking the network provided with sufficient and appro-
priate packet data. It comprises FMS attacks, Korek attacks and PTW attacks; thus it is
the fastest tool available to crack down a WPA network. The main areas of network
security that the tool deals with include:
i. Monitoring of packet data captured and exporting such data into readable
text file for further analysis.
ii. Attacking and deauthenticating the network and creating fake access point
for injection.
iii. Cracking down WEP and WPA PSK network and injection
7.2 Monitoring
Cracking of any network using Aircrack tools starts with creating a monitor mode inter-
face. The monitor mode allows a device to capture and review all the traffic in and out
of the network in any wireless network. The big advantage of having the monitor mode
is that it doesn’t necessarily have to accomplice with an access point or any ad hoc
network.
36
Creating the monitor is simply done with the command: airmon-ng start wlan0.
As seen in Figure 19, the monitor mode has been created for wlan0 on wlan0mon.
Sometimes, a few processes have to be killed before creating the monitor mode simply
with the kill command.
The next step is to gather information on the network that is to be cracked. It can be
done with the command airodump-ng wlan0mon. With this command, we can gather
some valuable information on the network that will be needed for penetration testing.
37
Figure 20. Information gathering on the test network
In Figure 20, the test network “pandey niwas” has been monitored with its bssid, and
the channel through which the router is broadcasting. This information will be helpful for
further analysis and attacking.
7.4 Attacking
Once we have created the monitor mode and gathered all the required information of
the test network, the attack on the network can be implemented. In this process, we will
use information on the network from Figure 19. We will try to steal the information and
the encrypted key and write it over a folder in our computer.
38
The command to execute the process is:
airodump-ng –c X(X=Channel at which the router is broadcasting at; in this case
6) –bssid (bssid of the router) –w (location of the folder where we want to save
the information) wlan0mon(monitor interface name).
In Figure 21, the WPA handshake from the devices connected to the test network has
been captured and stolen. Once this command is executed, the WPA handshake that
includes all the encrypted confidential information will be copied on the folder we had
created in the earlier process. Now we have successfully stolen the WPA handshake.
The next step is to deauthenticate the network security and finally crack down the Test
network.
Once we have stolen the WPA handshake, we have all the confidential information on
the network. Now the next step is to deauthenticate the security of the network. We will
use the airodump-ng command and send 5 deauthenticating packets which will force
the devices connecting to the network to reconnect to the network. At this time, we
have full control over the network so we will be able to capture and decrypt the confi-
dential information on the network.
39
The command for this process is aireplay-ng -0 5 –a A0:1B:29:82:26:18 (Router’s
mac address) –c A0:1B:29:82:26:18 (WPA handshake id) –e “name of the
network” wlan0mon (Monitor interface name)
Figure 22 shows 5 de-authentication packets being sent which will force the devices
connecting to the network to reconnect to the network and the information is stolen and
stored.
Now this command will force the clients connecting to the network to reconnect to the
system automatically. What they are unaware is that the confidential information is be-
ing stolen. The next step is to download the WPA wordlists that will be used to com-
pare and crack the stolen key A WPA wordlist file [5] has been downloaded and saved
in the workstation.
40
Now the final step is to crack the key; which can be done with the command
Aircrack-ng –a2 –b (WPA handshake ID) –w (location of the wordlist) (Location of
the test folder created earlier containing all the stolen information) *.cap
As shown in Figure 23, the login key for the Test Network “pandey niwas” has been
cracked. The whole process is quite simple and can be easily executed on any net-
work.
41
8 Summary
The wireless network is an integral part of modern Information Technology and is being
implemented on most of the smart gadgets used on a daily basis. With such a vast field
of implementation, security concerns have gone up drastically. Despite several security
arrangements, new ways of penetrating the devices are being introduced and will al-
ways be introduced.
The main goal of this thesis was to penetrate a wireless test network in order to deter-
mine the security level of the network. The test network was penetrated using the Air-
crack tool from Kali Linux, thus revealing a vulnerability in the network. In order to
maintain the desired security level, it is therefore always necessary to be upgraded. As
per concern over IEEE 802.11 standards, it would be wise to change security parame-
ters every once in a while. Whilst penetration testing is unable to secure wireless net-
works completely, it helps making them safer by revealing vulnerabilities.
42
References
1. Gary J. Mullett. Springfield Technical Community College. National Centre for
Telecommunications Technologies: Introduction to Wireless Communication
https://www.cengagebrain.com.au/content/9781133885641.pdf
2. Andrea Goldsmith. Cambridge University. Wireless Communications 2005
http://wsl.stanford.edu/~andrea/Wireless/SampleChapters.pdf
th
March 2016
3. Verhappen Ian. IEEE 802.11 Evolution Continues. May 06 2013
Accessed on 4th March 2016
http://www.controlglobal.com/articles/2013/verhappen-ieee-evolution/
4. Banerji S. & Chowdhury R.S, RCC-Institute of Information Technology, India,
On IEEE 802.11; Wireless LAN Technology. 2013
Accessed on 4th March 2016
ftp/arxiv/papers/1307/1307.2661.pdf
5. Wireless LAN 802.11 Wi-Fi, Engineering and Technology History Wiki
Accessed on 4th March 2016
http://ethw.org/Wireless_LAN_802.11_Wi-Fi
6. IEEE 802.11 Standards. IEEE STANDARDS ASSOCIATION
http://standards.ieee.org/getieee802/download/802.11-2012.pdf
7. IEEE 802.11 Wi-Fi Standards. Wireless Connectivity. Adrio Communication Ltd
Accessed on 5th March 2016
http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-
tutorial.php
8. Kelly Gordon. Forbes/Tech, 802.11ac vs 802.11n Wi-Fi: What’s The Differ-
ence?
Accessed on 5th March 2016
http://www.forbes.com/sites/gordonkelly/2014/12/30/802-11ac-vs-802-11n-wifi-
whats-the-difference/#351df1143785
9. Coleman David. Aerohive Networks. 2.4 GHz Channel Planning: Wi-Fi Back to
Basics July 2012. Accessed on 6th March 2016
43
http://boundless.aerohive.com/experts/wi-fi-back-to-basics--24-ghz-channel-
planning.html
10. European Standard EN 301 893, EN 300 328 V1.8.1 to be mandatory from 1st
January 2015 Accessed on 7th March 2016
http://www.tuv-sud.co.uk/uk-en/about-tuev-sued/tuev-sued-in-the-uk/tuev-sued-
product-service/tuev-sued-product-service-news/en-300-328-v1.8.1-to-be-
mandatory-from-1st-january-2015
11. Decision 2005/513/EC. Commission Decision, Official Journal of the European
Union 11.July 2005
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2005:187:0022:002
4:EN:PDF
12. Kartik Krishnan. Computer Networks and Computer Security. 2004
http://www4.ncsu.edu/~kksivara/sfwr4c03/lectures/lecture9.pdf
Accessed on 17th March 2016
13. Public Key Algorithms
http://www.abcseo.com/papers/security/09-public-key-algorithms.htm
Accessed on 17th March 2016
14. Wi-Fi Alliance Security Roadmap, WI-FI Alliance
http://csrc.nist.gov/archive/wireless/S09_WPA%20Analyst%20Briefing%2005-
part1-ff.pdf
Accessed on 18th March 2016
15. Brian R. Miller & Booz A. Hamilton, Issues in Wireless Security 2002
https://www.acsac.org/2002/case/wed-c-330-Miller.pdf
Accessed on 18th March 2016
16. Bluetooth Technology Basics. Mac Developer Library. Apple computer Inc.
2003, 2012
https://developer.apple.com/library/mac/documentation/DeviceDrivers/Conceptu
al/Bluetooth/BT_Bluetooth_Basics/BT_Bluetooth_Basics.html
Accessed on 21st March 2016
17. National Security Agency, Bluetooth Security,.
https://www.nsa.gov/ia/_files/factsheets/i732-016r-07.pdf
Accessed on 23rd March 2016
44
18. John Padgette, Karen Scarfone, Lily Chen. National Institute of Standards and
Technology. U.S. Department of Commerce. Guide to Bluetooth Security. June
2012
http://csrc.nist.gov/publications/nistpubs/800-121-rev1/sp800-121_rev1.pdf
Accessed on 23rd March 2016
19. Tu C. Niem. SANS institute. Bluetooth And Its Inherent Security Issues
https://www.sans.org/reading-room/whitepapers/wireless/bluetooth-inherent-
security-issues-945
Accessed on 23rd March 2016
20. High Level Organisation of the Standard. 2014
http://www.pentest-standard.org/index.php/Main_Page
Accessed on 30th March 2016
21. Dave Burrows. SANS Institute. Penetration 101 - Introduction to becoming a
Penetration Tester.
https://www.sans.org/reading-room/whitepapers/testing/penetration-101-
introduction-penetration-tester-266
Accessed on 30th March 2016
22. Sam Supakkul, Lawrence Chung. University of Texas. Security Threat Model-
ling and Analysis: A Goal-Oriented Approach.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.103.2997&rep=rep1&
type=pdf
Accessed on 4th April 2016
23. What is Wireshark?
https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html
Accessed on 15th April 2016
24. Aircrack-ng
http://aircrack-ng.org/ Accessed on 17 November 2016
25. WPA / WPA2 Word List Dictionaries Downloads, WirelesSHack
http://www.wirelesshack.org/wpa-wpa2-word-list-dictionaries.html
Accessed on 17th November 2016
26. Russell Dean Vines, Chief Security Advisor for Gotham Technology Group,
SearchITChannel, Penetration testing reconnaissance
http://searchitchannel.techtarget.com/tip/Penetration-testing-reconnaissance-
Footprinting-scanning-and-enumerating
Accessed on 26th Nov. 2016
45