ABSTRACT. The rapid growth in Wireless networking brought the need for securing the wireless

Transcription

1 ABSTRACT The rapid growth in Wireless networking brought the need for securing the wireless network which became very important today. Many existing security techniques like standard encryption methods for securing the network like WEP, WPA and WPA2 are prone to vulnerabilities and exploitation. Thus raising need for better network security. This project concentrates on different encryption standards that can be used to achieve secure networking. It also discusses the importance of wireless penetration testing and how the penetration testing is done using some tools. The main purpose of this project is to develop a tool which will monitor the network and detects the various IP addresses, ports and users that are connected in a network. By using this tool the network administrator can block selected IP addresses, ports and unauthorized users. ii

2 TABLE OF CONTENTS Abstract... ii Table of Contents... iii List of Figures...v List of Tables... vii 1. Background and Rationale Wireless Security Wireless Equivalent Privacy WI-FI Protected Access WI-FI Protected Access Version Network Security and its Architecture Host Based Security Narrative Reasons for Conducting Penetration Testing Planning and Preparation Information Gathering and Analysis Detection of Vulnerabilities Penetration Attempt Analysis and Reporting Cleaning Up Penetration Tools AirMagnet Laptop Analyzer WireShark Cain and Able WEP attack...34 iii

3 3.5 NetSTumbler Wireless Mon System Design Tool and its functionality Implementation of the tool Testing Results and Conclusion Future Work...52 Bibliography and References...53 Appendix A iv

4 LIST OF FIGURES Figure 1 Encryption...3 Figure 2 Decryption...3 Figure 3 Comparison Table of WEP, WPA and WPA2...5 Figure 4 The GUI Version of NMAP...15 Figure 5 Laptop Analyzer Start Screen...19 Figure 6 Laptop Analyzer Channel Screen...21 Figure 7 Laptop Analyzer Interference Screen...22 Figure 8 Laptop Analyzer Infrastructure Screen...23 Figure 9 Laptop Analyzer AirWISE Screen...25 Figure 10 Laptop Analyzer Decoder Screen...26 Figure 11 Wireshark Sample capture...27 Figure 12 Wireshark preferences window...28 Figure 13 Wireshark encrypted packet...29 Figure 14 Hiding SSID by using Wireshark...30 Figure 15 Applying filter to the network using Wireshark...30 Figure 16 Features of the Cain and Abel...31 Figure 17 Procedure shows the list of hosts connected to the router...32 Figure 18 Cain and Abel using ARP...33 Figure 19 Working With WEP attack...34 Figure 20 Kismet Dumpfile attempting to crack the networks...35 Figure 21 Using Wordlist User Determines the WEP key...35 Figure 22 Netstumbler with Signal Strength, SNR and Noise...36 Figure 23 Netstumbler detecting Access points...37 Figure 24 Home Screen of Wireless Mon...38 v

5 Figure 25 Map and general Options in Wireless Mon...39 Figure 26 Graph of the Network Related to Percentage vs Time in Wireless Mon...40 Figure 27 Statistics Details in Wireless Mon...41 Figure 28 Advanced Mode...45 Figure 29 Blocking Remote IP...46 Figure 30 Deleting the rule...47 Figure 31 Local Mode...48 Figure 32: Adding Blocking Rules in Local Mode...49 vi

6 LIST OF TABLES Table 1.1 Wireless Local Area Network Protocols 2 vii

7 1. BACKGROUND AND RATIONALE Wireless networks provide mobility to the user and thus it has gained much popularity. But in wireless networks there is a huge probability of being attacked by hackers compared to wired networks [Gonzalo 2008]. IEEE standards have given highest priority to the wireless security. Wireless Security is a process of preventing unauthorized devices or people from entering the network. In general the basic idea to protect the wireless network is to use wireless intrusion prevention system and wireless penetration testing [Guennoun 2008]. There may be several procedures to protect the wireless networks but researchers proved that the best approach for providing wireless security is by using Wireless Penetration Testing. The goal of wireless penetration testing is to find the vulnerabilities of the network and to confirm the effectiveness of the security measures that are implemented in that particular network or an organization. 1

8 1.1 Wireless Security IEEE has proposed several different protocols like a, b, g, and n. These protocols may vary in security purposes, maximum data rate that can be transferred, modulation schemes, channel bandwidth etc. Table 1 describes different Wireless Local Area Network protocols and how they are different. Table 1: Wireless Local Area Network Protocols [Broadcom 2006] To protect the wireless networks, IEEE standards provides three standard security measures [1]. 1. Wireless Equivalent Privacy (WEP) 2. WI-FI Protected Access (WPA) 3. WPA2 (WI-FI protected access Version 2) Wireless Equivalent Privacy IEEE b uses wireless equivalent privacy in the protocol to provide secure access to the network. WEP uses RC4 and cyclic redundancy check algorithms to provide encryption and data integrity to the network [Bharath 2

9 2009]. This protocol is usually implemented in the data and physical layers of the OSI layer model. WEP algorithms are mainly dependant on RC4 algorithm. The working procedure of RC4 algorithm is demonstrated in figure1. Figure1: Encryption (Sender)[Boland 2004] Figure2: Decryption(Receiver)[Boland 2004] Figure 1 and 2 describes how the encryption and decryption are done at sender and receiver side as follows: 1. At the sender s side the check sum is calculated and it is appended to the message and this is referred to as the plain text. 2. Here the key stream usually uses two keys: one is secret key and the other is public key. The secret key (k) should be agreed if both client and server of the network accept this key. Pubic key is generated dynamically when encryption is done. 3. Then the results of step1 and step 2 are XOR- ed, which results in cipher text. This cipher text is transmitted to the receiver. 3

10 4. The cipher text on the receiver s side is XOR-ed with the key stream which results in the plain text.the plain text usually contains the original message along with CRC. The various Security issues in WEP are as follows: 1. WEP cannot stop the forgery of packets. 2. WEP cannot stop the replay attacks. 3. Many wireless networks will not enable WEP because of overhead involved in using the keys. 4. WEP check sum algorithm can be easily predicted. 5. WEP does not use RC4 algorithm properly because the keys used are really weak such that by brute force attack the attackers can easily find the encryption keys WI_FI Protected Access (WPA) The security features like authentication and encryption are very weak in WEP which have been overcome in WPA. One of the major differences between WPA and WEP is that WPA uses temporal key exchange protocol which solves various issues addressed in WEP [Danesh 2009]. Another important feature of WPA is that it has a built-in authentication system which is not provided and supported in WEP [G Verdone 2006]. The various WPA improvements over WEP are as follows: WPA uses message integrity check to solve the issue of forgery of packets. WPA uses a new IV sequencing discipline to solve the issue of replay of the attacks. 4

11 A per-packet key mixing function is used to solve the issue of the weak keys. WPA uses re-keying mechanism which provides fresh encryption and integrity keys which enable encryption keys to change frequently and thus the attackers cannot easily find the keys WI_FI protected access Version 2 (WPA2): WPA2 is referred as the next generation WI-FI security. WPA2 has a high level of security when compared to WPA. WPA2 uses advanced encryption standard (AES) which encrypts 128 bit data with 128 bit encryption key. Since the encryption key is very long, attackers cannot easily detect the keys [Danesh 2009]. WPA 2 also uses cipher block chaining message authentication code protocol (CCMP) which creates a message integrity code that stops the forgery of packets. Advantages of using WPA2: WPA2 uses fresh session keys for each and every session. The encryption keys used for one client will be different for another client. Figure 3 shows the comparison of WEP, WPA and WPA2 protocols and also explains what type of authentication and encryption standards are followed. Figure 3: Comparison table of WEP, WPA and WPA2 [Max-Pedia 2002] 5

12 1.2 Network Security and its Architecture: The main task involved in network security and its architecture is to reduce the security risks with efficient security policies. A decade back the network architecture was mainly concentrated on developing a security network parameters around an organization i.e. in this architecture the firewall was placed at the point where the network will access the internet. But in this traditional architecture several security flaws such as managing huge number of computers and security threats from inside the perimeter protected by a firewall are encountered [Mark 2003]. The best procedure to be followed in the architecture is as follows: Step 1: Removing the network components that usually use shared Ethernet: Shared Ethernet switches are usually referred to as hubs.they are usually used to connect multiple computers and multiple networks. The hubs will send all the network traffic to all computers which are connected to that particular hub. The main problem involved in these Ethernet switches is that if one computer is compromised with security and if this computer is the one that monitors the traffic from all other computers that are connected to that particular hub, it may reveal the secret information like passwords and other important information. Step 2: Multiple Firewalls in a Network: Linux based firewalls are usually very cheap when compared to other firewalls. These firewalls can be installed in various locations if required. It is better to provide a firewall from organization network especially from where it connects to the internet. This type of firewall is also known as a border firewall and it provides protection to all the computers which are connected in a network. The major advantage of using this type of firewall is that it can block the entire access of attacks such as SQL 6

13 WORM which was launched in Apart from border firewall, installing additional firewalls provides additional security to the network. One example includes installing the firewall in network segments etc. Step 3: Implementing Intrusion detection system (IDS) at key points in the network which monitors threats and attacks: Intrusion detection system is an application that is usually used to monitor network detecting malicious activities. The IDS also analyzes the traffic which is leaving the organization for patterns which show that the security is compromised. An Intrusion Prevention system has IDS integrated with a firewall i.e. Intrusion prevention system is an application which performs IDS and also tries to stop the detection vulnerabilities [Mark 2003]. Step 4: Implementing a Virtual private network (VPN) for off- campus and wireless access: VPN is a network which uses internet to provide remote access to individual users. VPN uses software on each and every computer which accesses the network and Each computer that is connected to the network is known as a VPN client. By using the virtual private network the users of an organization can access the organization s network in a secure way. The virtual private network provides an encrypted connection, so that the VPN client can access the organization s network remotely. The need of encrypting wireless network traffic is important because it eliminates the risk of other users on the same network. Step 5: Report Network traffic Statistics for the computers which are using more bandwidth: Finding the number of bytes a computer sends and receives from internet will help us to find the computers which are compromised in security issues. The administrator 7

14 finds these computers which are using high bandwidth. However, all these steps will not guarantee security, but it would be the starting point for improving the network security in the network. Various harmful practices that can exist on the network once the computer has compromised for security are as follows: Host Based Security: Any computer in a network is usually referred as a host. A host is a target for hackers. Once the host is compromised for the security a lot of problems can arise. The host may be used as a storage device for sharing illegal material, personal information like credit card details or social security numbers can be released. Hence, the user can realize that host-based security plays a prominent role in network security architecture. The recent study says that the average time to get a computer security compromised is one day. The host based security can be provided if the organization follows some good practices like using updated virus protection, operating system that is configured correctly and has all security patches are installed. The various ways of an organization providing high level of host based security is as follows: 1. Providing Virus Protection with Automatic Updates service on all important systems: Viruses and worms are familiar security threats. The viruses are programmed for any kind of operating system but most of the viruses exploit security flaws for Microsoft products. The reason for targeting the Microsoft products is because these products are largely used in universities. The latest viruses or worms will spread very rapidly. So it is important to select an antivirus product such that it gets updated frequently. 8

15 2. Performing the risk assessment to find the important computers to protect: The most important step in providing a host based security plan is to perform risk assessment. By performing risk assessment, organization can find important hosts that need to be protected. Usually the process of risk assessment includes the hosts like administrative systems, web servers, etc. 3. Using a network scanning utility to create profile for each computer identified in Step 2 The important tasks involved in this step are to create a profile for each host which is identified in performing the risk assessment. The information that is going to be present in this profile are the operating system that is used by that particular host and the services that are accessible to the network [Mark 2003]. Each network services on a host are associated with a specific TCP/IP port number. In a small organization it is easy to find the host individuals and finding the information but most organizations will prefer to use an automated tool to detect the port numbers. The tools like NMAP, Internet scanner are used to detect these to find out the details of a host. 4. Disabling the Network Services which are not needed for that host is identified in step 3: In general most operating systems will enable the most common network services. Hence most of the hosts run the services which are not really necessary. As a result, the services like web server, data base server which are not needed for the host must be disabled. One of the famous tools for analyzing the host is CISECURITY. This toolkit is easy to use and identifies the security issues efficiently [Mark 2003]. 9

16 The host based firewalls is a better solution to implement firewalls. Host based firewalls are a piece of software that runs on each computer which is similar to a network firewall. The only difference between a network firewall and a host based firewall is that network firewalls will protect all the network computers where as host based firewalls will protect only a single computer. The recent study states that, the host based firewalls play a prominent role and that the only issue with host based firewalls is that these firewalls are creating a huge number of time consuming false alarms [Mark 2003]. 5. Monitor security alerts and develop mechanisms for quickly patching systems: If any security alerts are declared, the administrator needs to consult the profiles which are created in step 3 to check what computers are in critical condition. If there are a large number of computers to track then the administrator must look for a tool which had a process of automatic updating the computers. Most of the organizations will reset these border firewalls to block access of the network if there are any security alerts. 6. Creating a centralized system logging service: Most of the operating systems provide system logging. The main purpose of having system logging is to keep a record of each computer when the network is accessed. These records usually contain some identifying information, time stamps etc. By creating a centralized system logging service, the administrator can collect information from all the machines that are connected in a network and can check whether any abnormal activities exist in that network [Mark 2003]. 10

17 7. Create a central authentication to replace host based password files: Recent studies states that host based password files are not very secure because the users create passwords which are found in some dictionary. There are many operating systems which are useful to encrypt password files. This process of encrypting password files is not secure because hackers can easily decrypt these files with the available tools. Creating a centralized authentication like Kerberos eliminates the user passwords from the local computers as well as decryption of the passwords on local computer. 11

18 2. NARRATIVE Penetration testing is a process of understanding or the assessment of security measures taken by a particular organization. If penetration testing is done properly, then it is easy to find the risks that are associated with a particular network. The results analyzed from studying and understanding the security measures are documented properly the organization can openly discuss and take proper actions. The most important step in performing penetration testing is planning. It should be well planned such that if penetration testing is completed, most of the vulnerabilities are exploited [Blackburn 2002]. Legal hacking like war driving and penetration testing are not just like scanning for the open ports [Joel 2005]. The various ways a professional hacker or an attacker can attack the network are as follows: 1. Determining network details from the information available on the online resources. 2. By doing site surveying procedures. 3. By finding all the hardware devices used in that particular network. 4. By finding the strength of the signal and boundaries of the network. 5. By understanding the network traffic on the network i.e. whether the data in that particular traffic is encrypted or not. 6. Finding the hosts of the network. 7. Finding the details of the hosts, understanding the security protocols of the hosts and attacking the hosts such that attackers can gain the benefits of that particular host. 12

19 2.1 Reasons for conducting penetration Testing: The most important reasons for conducting penetration testing are as follows: 1. Avoiding financial loss by losing information because of intrusion by attackers, or dissatisfied employees. 2. Protecting the organization brand value such that the customers confidence on the organizations brand is relatively very high. The steps used in penetration testing are as follows [Chan 2002]: 1. Planning and Preparation 2. Information gathering and analysis 3. Detection of the vulnerabilities 4. Penetration Attempt 5. Analysis and Reporting 6. Cleaning Up Planning and Preparation: As discussed before, in penetration testing the most important phase is planning and preparation. In this step, there is a meeting between penetration testers and organization. The various discussions that are involved are as follows 1. The outcome of the results after testing should be accepted by both the organization and penetration testers. 2. In the planning phase, the penetration testing time should be decided i.e. at what time the testing should be conducted. It should discuss about the specific 13

20 time the testing should be performed and it should also discuss about when the testing will complete. 3. Some of the systems are vulnerable i.e. if any kind of testing is performed the whole system crashes. So testing should be avoided on these systems. 4. Penetration testers should spend enough time within the organization i.e. about the tests that penetration testers are going to tested. 5. The organization must inform important staff members about the penetration testing details to be carried out on the network, so that if it faces any abnormal experience,the staff may have an idea regarding that 6. The confidentiality of data is important. During the penetration testing if any information is collected it must be returned to the organization once the testing is completed Information gathering and analysis: After the planning phase is completed the next phase is to collect complete information of the organization network. The various ways to collect the information are as follows: 1. If an organization has an online website, it is the place where the information needs to be obtained from. This information may be useful in later stages of penetration testing. 2. By conducting network survey, the administrator can find the number of systems that are reachable. The results should consist of domain names, server names, IP addresses and ISP provider. 14

21 3. The best tool to conduct network survey is NMAP. By using NMAP, administrator can scan the systems in a very large network. By using NMAP the user can also find what operating system that particular host is running on the system. Figure 4 Shows the GUI version of NMAP and also shows different functions that are available on NMAP. Figure 4: The GUI version of NMAP (Source: 4. After doing network survey the next phase is port scanning. By using port scanner Admin can find the open and closed ports of the network. 5. The various other tools that are used to obtain information are hping, netcat, firewalk, ethereal, icmpquery etc Detection of the vulnerabilities: After collecting the information, next phase is finding the vulnerabilities in a system. Detailed analysis is done on the information collected to find the vulnerabilities that exist on the particular system. This type of scanning is also known as manual vulnerability scanning. The various tools that are used to find the vulnerabilities are NESSUS, SANA etc. Nessus is a scanner which is generally used 15

22 to find the vulnerabilities in a network [George 2005]. After performing the scanning it shows the list of vulnerabilities that exist in a network and it also provides the possible solutions to these vulnerabilities Penetration Attempt After finding the vulnerabilities in the system the next phase is finding the targets for a penetration attempt. The various tools that are used for penetration attempt are Brutes, LC3, etc [Reto 2008]. One of the usual tests for penetration attempt is password cracking. The various ways that are used for password cracking are as follows: Dictionary Attack Hybrid Attack Brute force Attack The other methods that are used for penetration attempt are social engineering and testing organization securities etc, Analysis and Reporting: After conducting the penetrating attempt phase, the next phase is to create a document for the organization. This document should have the information about various vulnerabilities that exist in the network. Based on the priority the vulnerabilities are listed i.e. the vital on the top and less risk ones later in the document. The main reason for dividing it into two phases is that it can help the organizations which are really vulnerable to attacks. The other reports that are included in the document are as follows: Brief description of all the penetration scenarios. 16

23 All the information that penetration testers can gather during the testing. All the vulnerabilities in the network. Detailed description of each vulnerability Suggestions that penetration testers want to make to the organization Cleaning Up: The important reason behind having this phase included in the penetration testing is to remove all the mess which is done during the penetration testing. This phase makes use of all the actions that are performed during penetration testing. This makes it easier for the cleaning process to be done. The cleaning process must be thoroughly checked by the members of the organization so as to confirm that the systems are working normally. 17

24 3. Penetration Tools The Penetration tools are divided in to various categories like 1. Wireless Network Discovery, Mapping and Traffic Analysis (The various tasks involves in these kinds are discovering wireless LAN s, Sniffing, Logging and analyzing packets) 2. Client Evaluation Tools (Checks the state of the clients or local machines) 3. RF signal strength monitoring (Monitors the signals strength of a LAN) 4. Wireless specific encryption cracking (Tools for gaining access to protected wireless networks) 5. Wireless Custom Frame Generation (These allow layer 2 attacks on wireless LAN s) The Various tools that are analyzed in this project are as follows: 1. Air Magnet Laptop Analyzer 2. Wireshark 3. Cain and Able 4. WEP attack 5. Netstumbler 6. Wireless Mon 18

25 3.1AirMagnet Laptop Analyzer: Air Magnet Laptop Analyzer is a tool which analyzes Wireless Local Area Network (WLAN) to provide speed and throughput of This tool provides many functions for various wireless network problems. The various functions that are present in Air Magnet Laptop Analyzer are WLAN throughput simulator tool, Throughput /Iperf Tool, n Efficiency and analysis tool, Device throughput calculator, n trouble shooting toolkit and alarms, integrated reports and Spectrum analyzer integration. The various features of this tool are: 1. WLAN administration 2. Security Policy Management 3. Performance Policy Management 4. Installing survey and audit 5. Connection Troubleshooting Figure 5: Laptop Analyzer Start Screen 19

26 Figure 5 shows the Laptop analyzer start screen which is divided in to 6 regions. 1. The top left of the figure in region 1 shows the signal strength, signal to noise ratio for all channels in the a and b spectrum. Using the drop down menu in region 6 users can get more detailed channel information by just clicking on the applicable channel. 2. Region 2 provides information like total number of SSIDs, access points which are operating on the particular environment. This region2 has one more section i.e. expert advice section shows that number of security alarms that have been generated and the order of those security alarms categorized according to their critical level. 3. Region 3 shows the pictorial representation of region 2 in the form of pie chart. 4. Region 4 shows all the access points which are operating on the particular environment. Users can expand or collapse between clients and access points. User scan has a view filter on the right side of the corner to view all the devices or filter based channels. SSID, Device type and type of alarms generated. From right to left the grid shows type of encryption used, interference score, signal/noise information, protocol, MAC address and device name. Right clicking the access point in the figure 5 allows the user to run built in utilities. 5. Region 5 shows the various problems that are detected by the air magnet in the network. The left side of the panel shows the policy hierarchy and right side of the panel shows the graph of number of alarms. 6. Region 6 shows the toolbar which allows the user to do multiple tasks at a time. 20

27 Figure 6: Laptop Analyzer Channel Screen Figure 6 shows the channel screen of the laptop analyzer. It is divided into four regions. The channel screen can be accessed through an icon which is present at the bottom of the application screen. 1. Region 1 allows the user to select the channel. Once the user selects the channel it is reflected on the right side of the panel. Throughput and utilization of the channel in terms of relative performance is displayed. 2. Region 2 shows the graphs in different colors to show the proportions of the channel capacity like 1, 2, 5 and 11 Mbps bandwidth on the channel like the green color indicates 11 Mbps channel and 1 Mbps indicates 1 Mbps channel. 3. Region 3 shows the total statistics and details of a given channel. All the low level detail information is collected in this section. Each color represents separate category of statistics which gives detailed information. 21

28 4. Region 4 shows the real time statistics and graphs of the channel to diagnose the network. Figure 7: Laptop Analyzer Interference Screen Figure 7 shows the interference screen and it is divided into six different regions. Figure 7 shows the amount of interference that is present on a particular given channel. 1. Region 1 shows the interference status of the channel and it also provides features to select the channel for which the interference is required. Interference is usually generated From side by side channel interferences in WI-FI devices and hidden nodes. The green status in region 1 indicates that interference on that channel is tolerable while the yellow status indicates that the system is experiencing higher than 22

29 normal interference and the red status indicates that interference channel is not tolerable for the particular channel. 2. Region2 shows all the devices that are causing the interference. It usually contains access points, ad-hoc devices and stations. 3. Region3 shows various hidden nodes which are making the interference. 4. Region4 shows any non devices which are making the channel interference. The various devices that it can detect are cordless phones, Bluetooth devices, wireless cameras etc. 5. Region 5 shows the overall interference of the channel and the devices. 6. Region 6 shows the user to view different graphs like signal, noise, retries for the particular channel. Figure 8: Laptop Analyzer Infrastructure Screen 23

30 Figure 8 is the Laptop Analyzer infrastructure screen. The infrastructure screen is similar to channel screen. The only difference between these two screens is, that by having an infrastructure screen the user can investigate the wireless local area network by SSID, access points instead of channels. Figure 8 is divided in to four different regions 1. Region 1 shows all the SSID s within a given SSID that are associated with a given access point. By right clicking on an access point the user can find the physical location of that particular device. 2. Region 2 shows all the information in the form of pie chart which is related to region Region3 shows total statistics and details of a given channel. All the low level details and information are collected in this section. Each color represents separate category of statistics which gives detailed information. 4. Region 4 shows the real time statistics and graphs of the channel to diagnose the network. 24

31 Figure 9: Laptop Analyzer Air WISE Screen Figure 9 is Laptop Analyzer screen which helps to solve the security and performance issues. It also contains all alarms which are generated and creates information to solve the issues. Figure 9 is divided in to three different regions 1. Region one i.e. the left panel lists all the alarms which are generated during that session. By clicking on the alarm the user can find more detailed information of that particular alarm. 2. Region 2 gives detailed information of the situation that caused the alarms i.e. it provides specific details like Mac address, IP address of that particular devices. 3. Region 3 shows the statistics and charts of the alarms which are generated. 25

32 Figure 10: Laptop Analyzer Decoder Screen Figure 10 shows the Laptop Analyzer decoder screen. Figure 10 helps to analyze the decoded data. Air Magnet laptop analyzer decodes layer 1 to layer 3 for all traffic and decodes layer 7 for protocols like FTP, HTTP, SMPT and Telnet. The users have an additional option of Advanced Packet Filters based on BSID, nodes and Ip addresses. Figure 10 is divided into three different regions. 1. Region 1 on figure 10 shows that the users can enable filtering of captured packets. 2. Region 2 shows common packet information like packet, channel, and signal level. 3. When the administrator stops the capturing of packets, Air Magnet will display all available frame data for the selected packet in region 3. 26

33 3.2 Wireshark: Wireshark is a network protocol analyzer. It lets the user to analyze the traffic in a computer network. The various features of Wireshark are: 1. Thorough inspection on various protocols 2. Live capture and offline analysis 3. Platform Independent (Runs on any operating system like windows, Linux, Solaris etc) 4. It supports various protocols for decryption (WEP, WPA, and WPA2) Figure 11: Wireshark Sample capture Figure 11 shows the sample packet capture. It gives the information about what source and destination IP addresses are using the network Decrypting Traffic: One of the challenges in wireless traffic analysis is inspecting the contents of encrypted frames. Since Wireshark have an ability to decode higher level protocols, encrypted packets limit the ability to analyze the packets and troubleshoot network problems. 27

34 The main advantage of Wireshark is its ability to analyze WEP encrypted data when configured with the proper WEP key. Figure 12: Wireshark preferences window Figure 12 show that the user can configure proper WEP key by clicking preferences and expanding the protocols menu and selecting the The Wireshark preferences window provides the WEP keys in hexadecimal form separated by colons. Once selecting the WEP keys enable the decryption check box. 28

35 Figure 13: Wireshark encrypted packet Figure 13 shows that Wireshark will automatically apply the WEP key to each WEP encrypted packet in the capture. If the encrypted packet is decrypted properly the user can see both encrypted and decrypted views. Wireshark also separates the contents of unencrypted frame Identifying Hidden Service Set Identifier (SSIDs): Many organizations prevent their access points from advertizing SSIDs. This provides minimal amount of security. When the access point wants to hide the SSID of the network, the access point removes the SSID advertisement from beacon frames. The normal way of hiding the SSID of the network is by replacing the SSID with NULL bytes. 29

36 Figure 14: Hiding SSID by using Wireshark Figure 14 shows how SSID value is replaced by zero bytes in length. This may prevent a normal observer to know the SSID value. In this example, the Basic Service Set Identifier (BSSID) of the network is 00:0b:86:c2:a4:89; the user can apply a display filter for this network BSSID and associate request frames to examine the SSID name sent by the client. Figure 15: Applying filter to the network using Wireshark Figure 15 show that by applying the filter, the user reveals any association requests for the specified BSSID. 30

37 3.3 Cain and Abel: Cain and Abel is a wireless scanner. Figure 16 explains the features of this tool. It has an ability to scan wireless networks signals within a range and gives the details of Mac address, the vendor, the name of the SSID, signal strength, whether it is WEP or not, it is ad-hoc network or any other infrastructure. Scanning and sniffer are special features of Air cap. Figure 16: Features of the Cain and Abel 31

38 Figure 17: Procedure shows the list of hosts connected to the router Figure 17 shows that by using Cain and Abel tool, administrator can find the users who are connected in that particular router. By clicking All hosts in my subnet User can find all the users who connected by the router. 32

39 Figure 18: Cain and Abel using ARP Figure 18 shows that by clicking on ARP, a user can proceed with an attack usually known as ARP Poisoning and finally the administrator can intercept the packets that the victim is sending and receiving. 33

40 3.4 WEP attack: WEP is an open source Linux tool for breaking WEP keys. This tool is usually based on Dictionary attacks that search various words to find the correct key. The main feature of this tool is that only one packet is needed to initiate an attack [Andrew 2004] Capturing Encrypted Packets: To initiate an attack the first thing needed is to capture an encrypted packet. Capturing of packet is done with the tool popularly known as Kismet Figure 19: Working With WEP attack Figure 19 shows the home screen of WEP attack. It shows the various options like Dumpfile, wordlist, mode and network. 34

41 Figure 20: Kismet Dumpfile attempting to crack the networks Figure 21: Using wordlist user determines the WEP key Figure 20 shows how to attempt cracking the networks with WEP keys and where as figure 21 shows the various wordlist to determine the WEP keys 35

42 3.5. Netstumbler: Netstumbler is also called as network stumbler. It is a tool which helps to find the wireless local area networks using b and a. This tool can run only on windows operating systems. The main features of network stumbler are as follows: 1. War Driving 2. Checking network configurations 3. Detects which causes wireless interferences 4. It has an ability to find un- authorized access points 5. It has the ability to give MIDI feedback for signal strength Figure 22: Netstumbler with signal strength, SNR and Noise Figure 22 shows that wireless networks a Netstumbler has found with signal strength, SNR and Noise. Different colors have different meaning i.e. green indicates the signal strength is good, Yellow is marginal and if it is red, it is useless. 36

43 Figure 23: Netstumbler detecting Access points Figure 23 show that the Netstumbler has detected access points. By default no filter is configured. Hence it shows all the access points which are detected. Each access point is marked with different color. Green indicates that the signal is good; yellow indicates that the signal is marginal and finally red indicates that the signal is too low. A lock will appears on the colored icon which shows that the access point is currently encryption enabled. On the left panel of figure 23 the user has a channel option which is mainly used to detect all access points which are listed under channel frequencies. Under SSID s the user can find all detected access points sorted by name. Once the administrator turns off encryption it can find open access points only. 37

44 3.6. Wireless Mon: Wireless Mon is a tool usually used to monitor the status of wireless Wi-Fi adaptor and also to collect information of access points. Wireless Mon has an ability to log the information to the files. It also provides signal level and Wi-Fi statistics. Various features of wireless Mon includes like 1. Checking if Network configurations is correct 2. Finding signal levels for the user Wi-Fi networks and nearby networks 3. Finding sources which causing interference 4. War Driving (Finding Hot spots) 5. Exactly finding the wireless antenna 6. Checking Wi-Fi coverage and range 7. Checking Wi- Fi hardware and drivers working normally Figure 24: Home Screen of Wireless Mon Figure 24 is the home screen of the wireless Mon. The various options available in this tool are: 1. SSID gives the name of the network 2. MAC ADDRESS is the Media Access Control address of the device 38

45 3. STRENGTH provides the strength of the signal caught by adapter 4. SPEED is the Network bandwidth 5. AUTH TYPE is the name of security protocol 6. FRAG THRESHOLD is the frame size 7. RTS THRESHOLD is the packet sizes 8. FREQUENCY is the number of occurrences of a repeating event per unit time 9. CHANNEL is the Wi-Fi signal range 10. TxPOWER determines how the transmit power of the receiving base station 11. SECURITY is the prevention of unauthorized access 12. RSSI is the measurement of the power present in a received radio signal 13. NETWORK TYPE indicates the physical layer for 24-GHz Orthogonal Frequency Division Multiplexing radios Figure 25: Map and general Options in Wireless Mon 39

46 Figure 25 shows the map and general options in Wireless Mon. The first task is to load the map for signal strengths to be drawn. Enter the path of an image file of the map in Map Image path. The map is displayed with a hexagonal grid and each grid represents the sample of that particular map. Figure 26: Graph of the network related to Percentage vs. Time in Wireless Mon Figure 26 shows the graph related to percentage Vs Time. Here the administrator has two options. i.e. select graph and select sources. Select graph has different options like signal strength percentage vs. time, Signal strength dbm vs. time, received rate (bytes/sec) vs. time and sent rate (bytes/sec) vs. time. Select source is the option where the administrator can select different networks that are available. 40

47 Figure 27: Statistics details in Wireless Mon Figure 27 shows the statistics details. The various statistical data that can be seen are transmitted frame count, multicast trans frame count, failed count, retry count, multiple retry count, RTS success count, RTS failure count, Frame duplicate count, received fragment count, ACK failure count, Multicast REC frame count and FCS error count. 41

48 4. System Design 4.1 Tool and its functionality Computer networks for home and business can be built using wired or wireless technology. Wired Ethernet has been the traditional choice in homes, but Wi-Fi wireless technologies are gaining ground fast. Both wired and wireless has advantages over the other; both represent viable options for home and other local area networks (LANs). In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources. The need of security is the important factor for all the corporate organizations. Access Points cannot decide whether a particular user is authorized or not. Modern operating systems such as Mac OS or Microsoft Windows make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC. For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. No matter how the Internet/LAN border is protected, it may be necessary to add another layer of security by using a software personal firewall. The tool implemented in this project is a network scanner that provides a complete overview of the network with minimal administrative efforts and which controls network traffic to and from a computer, permitting or denying communications based on a security policy. 42

49 This project offers a comprehensive protection for Windows-based network workstations under a public environment. Once the application is installed and configured on all remote computers, physical attendance is not required. The only settings that are to be modified are security settings, which will control the network as per defined rules. The main features of the tool implemented in this research are: 1. It has the ability to block unique remote hosts, remote ports and local ports giving the user a complete control over Network. 2. The user can create Rules & based into that a request will be blocked or allowed. 3. It works in 2 different modes: High Security Mode & Low Security Mode. 4. In High security mode if any rules satisfies then it will block that request. 5. In Low security mode if all the rules are satisfied then only it will block the connection. 6. The application can be run in Local network connection or Advance filtering mode. 7. In the Advance filtering mode the Network Protector will allow or Block all the Internet Traffic, including Local connections. 8. In the Local connection mode it will only block or allow Local network requests. 9. Rules can be set or unset by Remote IP, MAC, Remote Port, Local Port & Computer Name. 43

50 4.2 Implementation of the Tool Whenever user gets any packets on the network, windows fills some structures regarding the state, IP, destinations & data. Windows APIs is used to fetch the structure & set the State of that packet to block or unblock. To design and code Visual Basic 6 IDE & Microsoft Native APIs are used. The important functions that are used to develop the tool are as follows: GetTcpTable: The GetTcpTable function defined in "iphlpapi.dll" retrieves the IPv4 TCP connection table. Once the user get all the information about a connection the user can check whether it s IP or port or anything, matching with rules or not. If there is a match just call SetTcpEntry function defined in "IPhlpAPI.dll", to set the State for that connection and that packet will be dropped. Check Block: Check Block function matches all the passed parameters with the Rule sets stored in the Registry. bsetregvalue, bgetregvalue and DelSetting functions are used to set, get & delete registry values respectively. For example, if the user sets a rule, that any Packet from IP address should be blocked, then the user checks if the Remote IP is equivalent to this Rule or not. If it doesn t match, then it does not do anything and simply returns. Otherwise user sets the state to Block. 44

51 4.3 Testing This tool contains two modes i.e. advanced mode and local mode Figure 28: Advanced Mode Figure 28 shows the advanced mode of the tool which is divided in to four different regions. 1. Region 1 in Figure 28 represents the various options available for the administrator. The options which are available for the tool are scan on click, stop and advanced mode/ local mode. Scan on click is the option used whenever the administrator wants to start the scanning i.e. it runs the IP addresses, Remote Port and Local Port which are using the network traffic. Stop option is used to stop the scanning of network traffic. And finally one more option i.e. advanced mode / local mode is used to switch between mode. 2. Region 2 displays the List of IP addresses, Remote Port and Local Port which are running on the particular network. 45

52 3. Region 3 shows the blocked list of IP address, Remote Port and Local Port. The IP address, Remote Port and Local Port which are present in the blocked list cannot access the network. 4. Region 4 shows the information like at what time the IP address, local Port and remote port is accessing the network. It also shows whether particular IP address is allowed or blocked. Blocking the Remote IP in Advanced Mode: Figure 29: Blocking Remote IP Figure 29 shows that, user can see the tool had blocked the remote IP address. The figure is divided to 2 regions. 1. The region 1 shows the list of Blocked IP address, Remote Port and Local Port. The highlighted figure of region 1 shows that, the tool had blocked ( ) IP address. 46

53 2. The region 2 is used to show the status of the IP address, Remote Port and Local Port i.e. whether the connection is allowed or blocked. The highlighted figure of region 2 shows that, once the is blocked the status is updated. Deleting the Rules: Figure 30: Deleting the rule Figure 29 shows that, user can see the tool had blocked the remote IP address. The figure is divided to 2 regions 1. The region 1 shows the removed list of Blocked IP address, Remote Port and Local Port. The highlighted figure of region 1 shows that, the tool had removed blocked ( ) IP address. 2. The region 2 is used to show the status of the IP address, Remote Port and Local Port i.e. whether the connection is allowed or blocked. The highlighted 47

54 figure of region 2 shows that, once the is allowed the status is updated. Local Mode: Figure 31: Local Mode Figure 31 shows the local mode of the tool. Figure 31 is divided in to 4 different regions. 1. Region 1 in figure 31 represents the various options available for the administrator. The options which are available for the tool are scan on click, stop and advanced mode/ local mode. Scan on click is the option used whenever the administrator wants to start the scanning i.e. it runs the IP address, Mac Address and Computer Name which are in the network. Stop option is used to stop the scanning of network. And finally one more option 48

55 i.e. advanced mode / local mode is used to switch between one mode to another mode. 2. Region 2 displays the List of IP addresses, Mac Address and Computer Names which are running on the particular network. 3. Region 3 shows the blocked list of IP address, Mac Address and Computer Names. The IP address, Mac Address and Computer Names which are present in the blocked list cannot access the network. 4. Region 4 shows the information like at what time the IP address, Mac Address and Computer Names is in the network. It also shows status of IP address whether it is allowed or blocked. Adding Blocking rules in a Local Mode: Figure 32: Adding Blocking Rules in Local Mode 49

56 Figure 32 shows adding a MAC rule to block the computers in a network. Figure 32 is highlighted in to two different regions 1. The region 1 shows the list of Blocked IP address, Mac Address and Computer Names. The highlighted figure of region 1 shows that, the tool had blocked (00-0C-F AD) Mac address. 2. The region 2 is used to show the status of the IP address, Mac Address and Computer Names i.e. whether the connection is allowed or blocked. The highlighted figure of region 2 shows that, once the (00-0C-F AD) Mac Address is blocked the status is updated. 50