Wireless network generally can be defined as a network which is set up by using radio signal frequency to communicate among computers and other network devices. Wireless networks known as WiFi network or WLAN.
As a network grows and expands wireless networks are extremely popular and easy to setup feature and no cabling involved. There are two main components to access the wireless network which are wireless router or access point and wireless clients. Wireless network normally used in 802.11a, 802.11b, 802.11g, and 802.11n standards protocol.
Wireless network needs highly security to carry all kinds of confidential data which means at least enabling Wired Equivalent Privacy (WEP) on the access point. Without proper implementation of security measures, any wireless network adapter coming within the range can access the internet without permission. So, it will results in congestion and some of the authorized client cannot access the internet. So, this research will do wireless network auditing by sniffing some of the information within the access point and detect possible intrusions in Faculty of Computer and Mathematical Sciences.
Wireless network is a network which is setup by using radio signal frequency to communicate among multiple stations at one time. In addition, wireless network referred as WiFi network or WLAN. Although we have enable WEP encryption on the access point, there are still some weaknesses which can be easily crack by the users with the right equipment to crack. The attacker can sniff easily with several tools to crack the password to break in as unauthorized person. In order to verify the correct access point settings and detect intrusions in terms of security in wireless network, we construct the complete script to audit wireless networks.
1.2 Problem Statement
Nowadays wireless network become a trend in communication. Each wireless system or access point was setup with certain policies. It is hard to verify whether each wireless access point setup correctly or not. Plus, nowadays we need to use many tools to verify the wireless access point status. Furthermore, most of network admin does not check back each wireless access point after its configuration. Moreover, we need some tools to identify the intrusions that come where they are try to access the Internet. Besides that, some of attackers send spoofing frame to try access the wireless network. So, we cannot identify the attacker’s MAC address.
1.3 Research Objectives
The main objective of this project is:
To construct a script by using Scapy
To sniff and to find possible intrusion on wireless network related with wireless security.
1.4 Scope of the Research
This project focuses in Faculty of Computer and Mathematical Sciences that has multiple access points which will enables to sniff all the information on wireless networks. We focuses on Data Link layer 2 to sniff the broadcast frame and identify possible intrusion.
The main platform to run the tools:-
We are use two main tools to construct the script which are:-
1.5 Significance of the Research
This project is important to gain knowledge to construct the complete script by using Python2.6 and Scapy script. We can learn the easiest way by using this script with the shorter line compared to other script. This project also helps to learn 802.11 frame structure including beacon frame that has transmitted by the access point.
1.6 Organization of Thesis
This project divided into 5 main chapters: –
Chapter 1: In this chapter, we discussed on the introduction generally of this topic. It includes problem statement, objectives, scope and significance of the research.
Chapter 2: This chapter reviewed literature that relate to the topic with previous researches. We include the similar of related studies to our research.
Chapter 3: In third chapter, we identify materials and methods that are described in methodology phases in order to get the desired information for the accomplishment of this research.
Chapter 4: In fourth chapter, we discusses on the findings of the research.
Chapter 5: Finally, the last chapter is focuses on the recommendations and suggestions where it will summarize the conclusion of the research.
This introduction of this chapter had clearly explained the problem statement, objectives, scope, and significances of the research. This chapter gives a clear view of the overall content of the research.
This chapter examines the previous work done by prior researcher in the field of auditing wireless network, security of wireless network and any other related works. Section 2.1 discuss on main platform to install the tools. Section 2.2 discuss on the tools to be use to construct and run the script. Section 2.3 discuss on standard protocol fro wireless Lan(WLAN), IEE 802.11. Then, sections 2.4 discuss on frame for 802.11, 2.5 Wireless LAN components, 2.6 Wireless Network Sniffing, 2.7 reviews for the related works and lastly 2.8 Summarizations of Literature Reviews.
Ubuntu is a free operating system, developed by small team developers who are established Linux Debian projects. This free operating system was developed to facilitate the use of desktop linux, Ubuntu. It developed based on the Debian GNU/Linux distribution and distributed as free and open source software.
Most Ubuntu packages are based on package from Debian. Both distributions are using Debian’s deb package format and package management tools, Apt and Synaptic. However, sometimes .deb packages need to be rebuild from source to be used in Ubuntu.
Ubuntu have variant edition such as GNOME desktop, KDE edition, Kubuntu and server edition. In this project, we use Ubuntu 10.10 as our platform to run all the tools in it.
Python is the one of the programming language that can interpret in developing the applications such as web applications and integrate the system more effectively. Python can run on Windows, Linux/Unix, Mac OS X. All the Python programs can be packaged into stand-alone executable code for many using various tools.
In this project, we use the latest version, Python2.6 tool to construct and run the complete script after install all the Python package in Ubuntu10.10. We use Python as a programming language because it is most powerful language and shorter to write the code than other languages. Compared to other programming languages, Python are readable syntax, intuitive object orientation, very high level dynamic data types, full modularity, supporting hierarchical packages and many more.
According to Philippe Biondi (2009), Scapy is a powerful interactive packet manipulation program from Python program that be able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery.
For this project, we focused on 802.11 standard protocols. Scapy enable to sniff wireless network and generate the packet and can send it to the wireless network.
2.3 Wireless Protocol
2.3.1 IEEE 802.11
IEEE 802.11 is a standard protocol for wireless LAN (WLAN), which is uses RF technology to transmit and receive data over the air. Based on this standard protocol, it communicates between wireless client and a base stations or access point. There are several types of standard protocols which are 802.11a, 802.11b, 802.11g, and 802.11n. Here are briefly about types of standard protocols:
220.127.116.11 IEEE 802.11b
IEEE 802.11b standard supports maximum bandwidth 11Mbps in 2.4 Ghz. The advantage of this protocol is lowest. Disadvantage using this protocol is lowest maximum speed because it may interfere if no determined the frequency band.
18.104.22.168 IEEE 802.11a
802.11a supports bandwidth up to 54 Mbps in 5 GHz. The advantage of this protocol is fast maximum speed. Disadvantage using this protocol is the cost is higher than IEE 802.11b
22.214.171.124 IEE 802.11g
IEE 802.11g standard supports maximum bandwidth 54Mbps in the 2.4 GHz band in maximum range. The advantage is signal range is better with fastest maximum speed. Disadvantage using this protocol is higher cost than IEEE 802.11b.
126.96.36.199 IEEE 802.11n
IEEE 802.11n is developed on previous IEEE 802.11 standards by adding MIMO. IEEE 802.11n offers high throughput wireless transmission at 100Mbps – 200 Mbps. It is better performance compared with IEE 802.11g.
2.4 802.11 Frame
2.4.1 Frame header
EachA frameA containsA aA standardA headerA asA shownA inA FigureA 2.1
Figure 2.1 Frame Header
TheA frame headerA containsA allA theA informationA neededA toA getA theA frame toA whereA itA isA goingA andA allowA theA receiverA toA understandA what messageA theA frameA isA carrying.
Frame Control – FC contains control information used for defining the type of 802.11 MAC frame and providing information necessary. FC field as shown in Figure 2.2
Figure 2.2 Frame Control Field
The details of frame control field as follows:
Protocol Version – Protocol Version provides the current version of the 802.11 protocol used.
Type and Subtypes – It is determines the function of the frame. There are three main different of type fields which are control, data and management and breaks into multiple subtypes.
Three values of type field:
00 – Management
01 – Control
10 – Data
11 – Reserved/Unused
Breaks into subtype field:
00/0000 – Management/Association Request
00/1000 – Management/Authentication
00/1100 – Management/Deauthentication
01/1011 – Control/Request To Send (RTS)
10/0000 – Data/Data
To DS and from DS – SpecifyA theA addressingA typeA ofA the frame, either the frame is going to or exiting from the DS.
More FragmentsA – Shows more fragments of the frame, either data or management type.
Retry – Retransmitted either data or management frame types.
Power ManagementA – shows whether the sending station is in active mode or power-save mode.
More DataA – shows to a station in power-save mode that the AP has more frames to send. It is also used for APs to show that additional broadcast/multicast frames are to follow.
WEPA – shows whether or not encryption and authentication are used in the frame.
OrderA – Shows that all received data frames must be processed in order.
Duration/ID – Shows the remaining duration needed to receive the next frame transmission.
Sequence Control (SEQ) – SEQ usedA forA fragmentationA and packetA reassembly.
Frame body – The frame body contains the data or information included in either management type or data type frames.
Frame Check Sequence (FCS) – The transmitting STA uses a cyclic redundancy check (CRC) over all the fields of the MAC header and the frame body field to generate the FCS value.
2.4.2 Beacon Frame
Beacon frames are identified by the type field being set to 0 (Management Frame) and subtype of 8. Beacon frame are used by access point to advertise its presence and relay information, such as timestamp, SSID, and other parameters based on access point to radio NICs that are within range. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
According to Robin Wood (2007), peopleA mostly believe that turningA offA beaconsA willA hideA theirA networkA fromA attacksA asA their SSID will no longer be broadcast. Unfortunately, SSID is transmitted in clear text in all management frames and when the network is hidden while there is no data being transmitted, attacker can collect a management frame they can find in network SSID.
2.5 Wireless LAN component
2.5.1 Access point
Wireless access point (WAP) is a basically hardware equipment that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards. In a wireless network, an access point sends and receives signals to any number of other, local wireless devices. These are usually adapters and routers. The WAP is commonly use in offices, homes and educational institutions. WAP devices use in IEEE 802.11 standards.
2.6 Wireless Network Sniffing
Wireless Sniffer is captures the data on wireless network without being detected. Wireless network sniffing works in 802.11, Ethernet as the physical and data link layers which is able of reporting raw packets (RFMON support), which include any prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards.
Moreover, sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections. Sniffing wireless network usually used by the attackers to capture the data and get the appropriate information from the beacon frame. There are several techniques used to sniff the wireless network. Some of them are as follows:-
Passive scanning is the first steps used to sniff the wireless networks. It is turn to mode RF into monitor mode that allows every frame appearing on a channel to be copied as the radio of the station tunes to various channels. A station in monitor mode can capture packets without associating with an AP or ad-hoc network. When the transmission of the data in the form of radio waves starts the attackers can scan the whole data passively and carry on the sniffing process.
The so-called promiscuous mode allows the capture of all wireless packets of an associated network. In this mode, packets cannot be read until authentication and association are completed. With the help of this data sniffer can easily decodes the secret information of the wireless networks.
After scan the data transmitted, it can detect the list of service set identifier (SSID) in the particular wireless network. The SSID shown in the Beacon frames is set to null in the hope of making the WLAN invisible unless a client already knows the correct SSID.A When the Beacon displays a null SSID, there are two possibilities.A Eventually, an Associate Request may appear from a legitimate station that already has a correct SSID.A To such a request, there will be an Associate Response frame from the AP.A Both frames will contain the SSID in the clear, and the attacker sniffs these.A
If the station wishes to join any available AP, it sends Probe Requests on all channels, and listens for Probe Responses that contain the SSIDs of the APs.A The station considers all Probe Responses, just as it would have with the non-empty SSID Beacon frames, to select an AP. Normal association then begins.A The attacker usually waits to sniff these Probe Responses and extract the SSIDs. Otherwise, if the beacon transmission is disabled, the attacker has two choices.A The attacker can keep sniffing waiting for a voluntary Associate Request to appear from a legal station that already has a correct SSID and sniff that SSID.A
Collection of MAC addresses
After detecting the SSID, sniffer now take steps to sniff the wireless network by collecting the required MAC addresses with the help of passive scanning and also with the help of different types of software. The collected of MAC address used for constructing spoofed frame by using specific tool. In wireless sniffing, there are some reasons why attacker collects all the MAC address. Some of the reasons are the attacker used sniffing to hide his or her identity and their access points. The other reason, access points used in collecting the MAC would not be registered.
2.7 Review of Previous Related Works
2.7.1 Author: David Maynor
Title of Paper: “Beginner’s Guide to Wireless Auditing” (2006)
This paper is a study of how to find the vulnerabilities in wireless devices drivers with specific techniques. The researcher discuss on how to build auditing environment, how to construct tools and finally how to interpret the results. On this paper, although this was done on Dell Latitude D610, the internal wireless card of the machine was not used. The researcher was used wireless card, Netgear WPN511 to set up auditing environment that is supported with madwifi drivers. The combination with LORCON (Loss Of Radio CONnectivity) ability to craft the packet from scratch. Moreover, after setting up the good environment with patch madwifi and LORCON, the researcher construct the script with Scapy to generate a simple frame and inject it. The researcher use Wireshark to see the packets injected.
2.7.2 Author: Shreeraj Shah
Title of Paper: “Secure Your Wireless Networks with Scapy Packet Manipulation” (2007)
According to Shreej Shah, Scapy is scriptable and easy to use compared with Kismet and Airodump-ng. This paper focused on intrusion detection by using proven techniques. There are two techniques can be employed which are passive sniffing and active packet injection. The researcher discussed only passive sniffing methodology. In this project, there are several steps are used in passive sniffing methodology as follows:-
Set up a station for radio frequency (RF) monitor mode
Sniff packets and discover network access points
Discover hidden access points and SSID (service set identifier)
Harvest MAC and IP addresses
Perform ongoing intrusion detection with sniffing.
2.7.3 Author: Robin Wood, Robin and freedomsoftware.co.uk
Title: “Programming Wireless Security” (2007)
This paper discussed some programming techniques to build wireless security tools. The researchers construct the script by using Python and Ruby script. There are several techniques that are used by using both scripts including deauthentication attack, sniffing wireless traffic and automating a Four-Way- Handshake capture. All the techniques will be brought together to create an applications to automate capturing an EAPOL handshake which can used to crack the Pre-Shared Key. This paper required several tools including Lorcon, Pylorcon, ruby lorcon and Scruby. Moreover, it also discussed about several issues on Scruby which means Ruby scripts will not work properly as exactly required.
2.8 Summarizations of some Literature Reviews
Project Similarities and Differences
Getting practical about wireless security, Part 1: Building a wireless sniffer with Perl
In this paper, lightweight wireless sniffer was build that runs on open source software. This paper show to use open source software by getting information about on wireless network and identified the common security problem.
Detecting and Responding to Data Link Layer
In this paper, Scapy is used to examine network traffic for data link layer attacks with identifying signatures and anomalies on both wired and wireless networks.
Petter Clutterbuck, Terry Rowlands, Owen Seamons
Auditing the Data Confidentiality of Wireless Local Area Networks
This paper describes how the software auditing artefact uses on sampled data packets to product a very detailed evaluation of the level of data confidentiality in effect across the WLAN.
Mingzhe Li, Mark Claypool, and Robert Kinicki
How to Build and Use an IEEE 802.11 Wireless Network Sniffer
In this paper, wireless sniffer is built on computers with Linux operating systems and prism GT-based wireless interface cards. The operating systems tested are SUSE (Novell) Linux release 9.0/9.1/9.2/10.0 and Linux Fedora Core 3 where the kernel version can be either 2.4.x or 2.6.x. The wireless network interface cards, Netgear WG 511 version 1 PCMCIA card and Allnet ALL0271 54Mbit Wireless PCI adapter are used
Table 2.1: Summarization of related Literature Review
All the information gathered from this literature review is very useful in order to identify potential information that can make this research more relevant. By understanding the scenario of past implementation, it will give a better view on how to achieve these research objectives and also inspire new ideas to be implemented or added into this research.
This chapter presents about the methodology being used as a guideline to ensure the project will operate successfully. Methodology consists of hardware, software and method that being used in this research. We need to choose proper hardware and software to meet the research requirement. Methodology is very important part to audit the wireless network with sequence of phases. We need to follow all this phases in order to accomplish the final project with achieving the objective. We divide the methodology of our project to several phases, where every phase will include the important activities and it’s significant to be done.
3.1 Methodology Phase
In this project, there are four phases of method that followed properly. First phase is planning, second phase is development, third phase is testing, fourth phase is result and evaluation and the last phase is documentation. All the flow of the methodology phase will be implementing systematically and efficiently as its role is vital to ensure the process of finishing this project in time. These phases are illustrated in methodology overview in Figure 3.1(i) and Figure 3.1(ii).
RESULT AND EVALUATION
Figure 3.1 Project Phase (i)
Result and Evaluation
Preliminary study of Literature
Install Python package
Install Scapy package
Run Scapy script
Sniff a list of access point.
Sniff Intrusion Detection
Writing a report
Determine hardware and software used
Scapy script completed
Final report completed.
Figure 3.1 Project Phase (ii)
3.2 Research Methodology
For planning phase, the activity is to define the objective of project by identifying problem assessment and by preliminary study of literature review. The deliverable of this phase can identify research objective and scope and also project planning. It consists of:
188.8.131.52 Preliminary study of literature review
The purpose is to understanding the similar or related project to be done. We need to review and get the idea on how it can be implemented and find the objective, scope and others benefit can get for the project requirement. This preliminary study can review by journals, online resource (internet), articles or book.
Diagram 3.1: Structure of research project
3.2.2 [a] Install operating system
We install Ubuntu 10.10 with interactive Graphical User Interface (GUI) on the laptop. It is easier to update the latest package. All the latest package including Python will updated on Ubuntu10.10
:~# sudo apt-get update
3.2.2 [b] Install tools
We install Scapy in Python program where the Scapy is interactive manipulation program that can construct with the shorter script compared to the other script. We install Python program as a main programming language and resides the entire package in it.
a. Install Python 2.6 package
:~# sudo apt-get install python
:~# cd /tmp
: /tmp# fetch http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz
: /tmp# tar xvzf scapy-latest.tar.gz
: /tmp# cd scapy-2.1.0
: /tmp/scapy-2.1.0 # python setup.py install b. Install python-scapy package
:~# sudo apt-get install python-libpcap c. Install libpcap and libdnet and their Python wrappers.
:~# sudo apt-get install python-libdnet
d. Install additional software for special features.
:~# sudo apt-get install tcpdump graphviz imagemagick python-gnuplot python-crypto python-pyx
3.2.2 [c] Construct the script
We construct the script with Python program for sniffing and detect possible vulnerabilities. The script will run on Ubuntu 10.10 in root terminal.
Testing phase, the action is to test by sniffing wireless network in an area by running the completed script. Before we run the script, we need to setting up the station for radio frequency (FR) in monitor mode. We illustrates the steps in Figure 3.2
Construct the script
Setting up the station for Radio Frequency (RF) to monitor mode
Enter the command
Get the data from acces point including:-
Name of access point
Collect the data:
Intrusion Detection including:-
Discovering Rogue Access Point
Discovering Dummy Access Point
Figures 3.2 Steps for testing
3.2.4 Result and Evaluation
In this phase, we come out with the result by running the script. We collect all the information about SSID, MAC address, channel, radio type, security type, signal from broadcast frame that send by multiple access point. Next, we can detect possible intrusion by running other script using a same scripting language.
In this final phase, all the results and findings will be included in one report. From the documentation, the researcher can determine whether the project achieve the objectives or not.
3.3 Hardware and Software Required
To execute this project successfully, some requirement need to be accomplish. Some of the requirement will be involving hardware and software. Hardware’s that will be required are:
This project will used laptop.
Processor at least 1 Gigahertz of CPU speed.
3GB of RAM
250 Gigabyte of hard disk space
Intel WiFi Link 5100 wireless network interface card
Motherboard that support the processor
This project will be running on LINUX platform:
As a conclusion, this chapter is very important to gather all related and relevant information required. All the information will be used in order to achieve the objectives of this research.
RESULTS AND DISCUSSIONS
This chapter discusses on the results gathered from this research, which is obtained by implementing the methods in Chapter 3. The result based on running completed script on Ubuntu10.10. It will display all the available information of access point actively in an area after sniffing it. Moreover we can detect all the possible intrusion with display the list of rogue access point and dummy access point.
4.1 Sniff the wireless network
First of all we set up Radio Frequency (RF) into monitor mode which is in wlan0 interface. Next, we run the completed script that is already saved in root on Ubuntu 10.10 with the name of file, sniffap.py. Then, we open the root terminal by enter ./sniffap.py wlan0. The result has shown in Figure 4.1
Figure 4.1 Sniff Wireless Networks
sniffap.py – name of saved file
wlan0 – monitor mode interface
CONCLUSIONS AND RECOMMENDATIONS
This final chapter discuss about the conclusion of this research. It also discusses the suggestions and recommendations that will help those who want to upgrade or refers to this project in the future.
As you can see, having an effective wireless access policy is critical to the security of any organization that operates a wireless networks. Without appropriate policy, the attacker easily gain access the wireless networks.
This project is hopefully can only use the fully script to get the data from the access point without purchase the tools. Moreover, the admin take the action to get access point more securely and get a better signal for client to access the Internet.