Assignment Secure Wireless (or Not!)CSC 4575/5575

Assignment Secure Wireless (or Not!)
CSC 4575/5575

Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
Assignment Secure Wireless (or Not!)
CSC 4575/5575
Due Date: Check iLearn Total points: 15
TOPIC:
Objectives:
✓ To understand why adequate wireless security is important
✓ To be familiar with security configuration for wireless network
Assumption:
✓ User can import a virtual machine. (Not required if completing exercise on the Cyber Range)
Pre-condition:
✓ User has VirtualBox or equivalent. (Not required if completing exercise on the Cyber Range)
Expected Outcomes:
✓ Student understands why it is important to have adequate security set up in wireless network.
✓ Student understands how vulnerable wireless networks are with inadequate security settings.
✓ Student understands how to properly configure security settings in a wireless network.
Overview:
This exercise is part of the SecKnitKit (Security Knitting Kit: Integrating Security into Traditional Computer Science Courses) project originally funded by the National Science Foundation (Awards #1140864, 1438861) and later maintained by DoD (H98230-20-100385 with FORD0061-30353). In this exercise, we will use a tool called Aircrack-ng to determine the passkey for a wireless network using WEP. By performing passive network packet analysis or actively injecting packets, we can gather enough information in order to determine the WEP key in a matter of seconds.
Primarily, wireless security is achieved by encrypting information between a router and its clients. Encryption allows information to be disguised/obscured in such a way that intruders cannot gather any intelligence from intercepted encrypted data. Several different types of wireless encryption technology exist today for use including WEP, WPA, WPA2, and WPA3. In the following, we will briefly introduce each type, their history, and potential security issues associated with them.
WEP:
WEP, or Wired Equivalent Privacy, was ratified in 1999 in order to provide comparable level of security in wireless networks equal to that of wired networks. WEP uses a RC4 (Rivest Cipher 4) stream cipher to encrypt/decrypt traffic as it passes over the network. It offers both 64 bit with a 10 digit key and 128 bit encryption with a 26 digit key. WEP was quickly broken in 2001 when Scott Fluhrer, Itsik Mantin, and Adi Shamir showed that by capturing enough packets, it is possible to
Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
recover the key in as little as one minute. This is because WEP uses a 24 bit randomly generated initialization vector (IV) along with its supplied key for each transmission. Because of this short IV value, patterns can be discovered in the packet once IVs start to repeat. Automated tools now exist for this exploit and can be performed with processing power as little as a smartphone uses.
WPA:
WPA, or Wi-Fi Protected Access, became available in 2003 in order to resolve the shortcomings of WEP. This original version of WPA was designed as a placeholder until a full replacement could be implemented. WPA offers two versions: Enterprise and Personal. WPA Personal (also known as WPA-PSK) uses the Temporal Key Integrity Protocol (TKIP), but WPA is still weak because, like WEP, it uses a modified RC4 stream. Even with a key mixing function for encryption, a sequence counter to prevent replay attacks, and a message integrity check, TKIP is still vulnerable to the same types of attacks to which WEP is vulnerable.
WPA2:
WPA2 improves upon WPA by replacing TKIP with the Counter Mode CBC-MAC Protocol (CCMP). The CCMP protocol utilizes the government endorsed Advanced Encryption Standard (AES) to encrypt/decrypt the packets, while the hashing algorithm for the WPA-PSK uses your chosen passphrase, salt, and approximately 4096 rounds of HMAC-SHA1. While WPA2 is more secure than WPA, there are still vulnerabilities that allow attackers to crack the network password and see unencrypted data in the network.
WPA3:
WPA3 was released in 2018, making it the newest and most up to date wireless security protocol. It was created to address some of the vulnerabilities of WPA2 the have emerged over the past few years. The biggest one being the ability for attacker to brute-force guess the network passphrase. To make this vulnerability worse, attackers could capture a lot of traffic, then crack the password off-site using the packet capture. WPA3 improves on WPA2 by replacing the Pre- Shared Key (PSK) with Simultaneous Authentication of Equals (SAE). This makes networks with simple passphrases harder for attackers to crack by brute-force guessing. It also makes it so users who are connected to a WiFi network cannot snoop each other’s traffic. Attackers also cannot decrypt any traffic prior to determining the network password. All these changes make WPA3 the recommended and most secure wireless protocol today, with WEP being the least secure. Since most wireless security configurations allow options to select not only the primary methods of security but any combination of them. However, since WPA3 was released so recently at the time of writing, a lot of devices still do not support it. In this case, WPA2-PSK is the best option.
In order to demonstrate how uniformed choices can be detrimental to personal security, and to observe some of the flaws in WEP, we will use several automated, freely-available tools in this exercise to determine the WEP key for a communication session. Once the key is compromised, encryption is ineffective.
Reconnaissance:
Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
cd “Desktop/Networks/WEP Cracking”
wireshark recon.CAP &
Before an attacker can break the key, enough packets need to be communicated and acquired such that the IVs begin repeating, thereby identifying a notable pattern. There are several ways of gathering the packets. Commview for WiFi is a Windows tool that can be used to gather packets from multiple networks at the same time. Airodump-ng from the Aircrack suite can also be used for this purpose (and was used for this exercise). Unfortunately, gathering a sufficient number of packets for observable patterns can take several hours if the network is not busy. This process can be sped up if the attacker’s network card supports packet injections. Before using either of these tools, the attacker must also have the proper drivers for a supported network card. To make the exercise feasible considering this limitation, the file containing captured network packets has been provided in the Networks folder on the desktop. Aircrack-ng can try to determine the key from as little as 5000 packets, but, generally, as the strength of the key increases, so will the number of packets needed for the attack to be successful. In a real-world scenario, the attacker would need to gather at least 100,000 packets for the target network to have a good chance of cracking the key.
Aircrack-ng:
As mentioned before, Aircrack-ng is an optimized key cracking suite for WEP and WPA-PSK. Using this suite, we will be able to determine the key of our target network. To begin, all we need is either the MAC address or the SSID of the target. The Media Access Control (MAC) address is a physical address assigned to the network interface controller by the manufacturer. And the Service Set Identifier (SSID) is simply the network name. Take note that the SSID of our network is “WEP_TEST”.
Setup (Skip the first two steps if completing the exercise on the Cyber Range):

  • Download Virtual Box. (https://www.virtualbox.org/wiki/Downloads)
  • Download and import the Debian virtual machine named SecKnitKit. (http://www.secknitkit.org/vms/asdh5t5s2ty451h3drtf5h25/SecKnitKit.ova)
  • Start the SecKnitKit virtual machine (VM). The password is “secknitkit”
    Procedure:
  1. Read about the deliverables before you start.
  2. Type the following to change the directory to the location of the recon file.
  3. Open the recon.CAP file by running the following command:
    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
    (The & symbol at the end of the command will allow you to reuse the same terminal later, although Wireshark may still print messages to it)
    You should see a window similar to the following. In the middle of the window you will see a bunch of rows, each row is an individual network packet. You should also see each column representing different metadata of the packet, including: No, Time, Source, Destination, Protocol, Length, and Info. The window below that window shows the contents of the selected packet. Finally, the window at the very bottom of the screen shows the raw data of the packet in hexadecimal format.:
    Figure 1: Wireshark windows after opening the .pcap file
    These are the packets that were captured by another application (such as airodump-ng).
    If you look in the Protocol field, you will notice that all the packets are labeled as 802.11.
    IEEE 802.11 is the “working group” for the Wireless Local Area Network standards.
    802.11 consists of many different protocols such as 802.11a, 802.11b, g, n, etc.
    Each one of these have their own maximum range and transfer rate. When you buy a new router, you can check to see what protocols it supports. However, you may not be able to take advantage of the latest and greatest 802.11 protocol (such as ‘ax’) if your devices do not support it.
    Look back at the Wireshark window. We are dealing with an encrypted communication channel. However, some of these packets are not encrypted and we can use the information within them to our advantage. Let’s start by finding the name of the wireless network.
    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
    wlan.fc.type_subtype == 0x08
    https://www.safaribooksonline.com/library/view/80211-wireless-networks/0596100523/ch04.html#id638531
    https://mrncciew.com/2014/10/08/802-11-mgmt-beacon-frame/
  4. Apply the following filter in Wireshark. The textbox underneath the second toolbar at the top of the window is where you apply filters. Type the following, then press enter or click the submit button at the right side of the textbox.
    You should see one packet in the list. In the info column you can see that this is a Beacon frame. This frame will tell us some useful information about the network, such as the current channel, supported transfer rates, what protocol the device is using, privacy mechanisms, and the Service Set Identifier. The SSID serves as the network’s name (sometimes referred to as the Extended Service Set Identifier).
    You can see the network SSID from the “Info” field, or in the packet dissector in the lower pane of Wireshark.
    We will need the network name for the next part.
    We know that we are dealing with a network that is using some sort of encryption or authentication because we can see the field for “privacy” under the “Fixed parameters” section is set to 1.
    Figure 2: Privacy flag in the packet dissector of Wireshark
    There are many additional fields present, and even more for a WPA frame. You can read more about wlan frames from the following resources:
    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
  5. Start aircrack-ng in the terminal with the given SSID specified using the -e flag, or the BSSID (which is the MAC address of the router) specified using the -b flag. You can find both inside the CAP file, however we only need to specify one.
    Aircrack will immediately begin processing packets to determine the key. In our case, not only does it discover the key in 2 second, it also tells us that it is 100% certain in its validity! With knowledge of the key, we are now able to encrypt/decrypt any packets to/from this network (although they may be encrypted further with SSL/TLS). We can also attempt to connect to the network provided we are in range.
    Before continuing, take a screenshot of the key generated by Aircrack-ng.
    Now that you have experienced how easy it is to break a WEP key, we hope you are convinced to configure your wireless security technology to use WPA2 with AES or WPA3, which currently is the best available option.
    Router Configuration for Secure Wireless:
    Visit the following in your favorite browser. This does not have to be done inside the virtual environment: https://emulator.tp-link.com/ax6000_us_v1/index.html. This is the user interface for a popular router brand which we will use for this section of the exercise. Click on Advanced in the toolbar at the top middle section of the screen.
    Figure 3: Homepage of the tp-link emulator
    aircrack-ng -b 00:1b:11:4c:d0:eb recon.CAP
    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
    Then click on Wireless then click Wireless Settings in the drop-down menu on the left side of the screen.
    Figure 4: Advanced menu of the tp-link emulator
    Here, one of the very first security settings that we are offered is the option to change the Wireless Network Name (or SSID). Go ahead and set the name to something else.
    The SSID is the Service Set Identifier (or simply your network name) which is included in the generation of the WPA/WPA2 PSK. If you have a default name such as ‘tp-link’ or ‘linksys’, an attacker can use a pre-generated rainbow table to attack your network, so it is always important to have a unique SSID.
    The Hide SSID option on the page is an option to enable/disable the SSID broadcast. If this option is not checked, the router will broadcast its name for other devices to see and communicate with (this is the default). Checking this option does not guarantee protection of the network. While the network is not immediately visible, an attacker can still discover a network by monitoring wireless traffic around them. Even if the router traffic is encrypted to the client, some basic information still exists in clear, unencrypted form. For example, association frames are initial connection requests sent to a router when a client wishes to connect to it. At this stage, the client does not know which security standard the router is using, so this frame must be sent in plain text. Part of this frame request is the SSID of the router that the client wishes to connect to. As soon as the attacker captures this frame, they know which router to connect to. Even though it may not stop the attacker, we can increase work for them by adding an extra layer of protection. In order to accomplish this layering, let us disable the Wireless SSID Broadcast option by checking the box.
    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
    The section below allows us to change the Wireless Security Mode. Clicking the drop down menu for security mode offers several different options. Usually, these include WPA Personal, WPA Enterprise, WPA2 Personal, WPA2 Enterprise, RADIUS, and WEP. We have discussed most of these options already (except RADIUS, which is commonly used in a business environment).
  6. Select WPA/WPA2-Personal as the security mode.
  7. Next, make sure the version is set to WPA2-PSK and the encryption is set to AES.
  8. Look at the text field titled Password. This is the passphrase that you will need to use to access the network. For the shared key, pick a key between 8 and 63 characters in length. The key should be easy to remember but hard to guess and should include uppercase, lowercase, and digits for added security.
    Take a screenshot of all of these settings before continuing.
    At the top of the webpage, you will see that the router offers settings for a 5GHz Band as well. This option offers higher bandwidth at the cost of range. New wireless devices support this band, but older ones do not. For this example, we will go ahead and leave it unconfigured.
    If you do want to have the 5GHz band available in the future, you should follow the same principles for securing it as for the 2.4GHz network above. Keep in mind that new routers offer a guest network feature that you should look for and secure and enable/disable as you deem necessary.
    The final step would be to click Save Settings at the bottom of the page, however since this is only an emulator nothing will happen. When you modify the wireless settings of your network at home you will need to configure all of your devices to connect to the new network with the password.
    As you can see, configuring a wireless network to use WPA2 is quite simple. Remember, WPA3 offers the best protection currently available for a personal, home network, but most current devices at the time of writing only support WPA2.
    To learn more about encryption keys you may visit these websites:
    ➢ https://technet.microsoft.com/en-us/library/cc757419(v=ws.10).aspx
    ➢ https://www.youtube.com/watch?v=ab6GYvKxfV0
    ➢ https://www.youtube.com/watch?v=9M8kVYFhMDw
    ➢ https://www.youtube.com/watch?v=8OPdE1MM1yE
    Post Assignment Questions:
  9. Is hiding your network (disabling SSID broadcast) a reliable way to ensure security?
  10. Which of the following is the best solution for a secure wireless network? WEP, WPA, WPA2, WPA3
  11. Which of the following cipher suites is the best choice for a secure wireless network? TKIP, AES
    Copyright © Tennessee Tech NSF SecKnitKit Project: Award# DUE-1140864
    Deliverables:
    Turn in the Post Assignment Questions.
    Turn in the screenshot showing the key determined by Aircrack. Turn in the screenshot showing the wireless security settings.
    Sources:
    ➢ http://www.aircrack-ng.org/doku.php?id=simple_wep_crack
    ➢ http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients
    ➢ https://en.wikipedia.org/wiki/IEEE_802.11
    ➢ http://www.ieee802.org/11/
    ➢ https://mrncciew.com/2014/10/08/802-11-mgmt-beacon-frame/
    ➢ https://www.safaribooksonline.com/library/view/80211-wireless- networks/0596100523/ch04.html#id638531
    ➢ https://www.networkworld.com/article/3316567/what-is-wpa3-wi-fi-security-protocol- strengthens-connections.html

Place this order or similar order and get an amazing discount. USE Discount code “GET20” for 20% discount

Quite Quote

QUICK QUOTE

Approximately 250 words

USD $10.99

Disclaimer: The reference papers provided by us serve as model papers for students and are not to be submitted as it is. These papers are intended to be used for research and reference purposes only.

× How can I help you?