presentation

564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal1

Eavesdropping attack over Wi-Fi

Presented By:

Fadi FarhatFall, 2007

Instructor: Dr. A.K. Aggarwal

Course: Security and Privacy on the Internet


Table of ContentsPart I: Paper presentation

1.Define Eavesdropping.

2.Difference between Eavesdropping over wired networks & Eavesdropping over wireless networks.

3. What we need to eavesdrop?

4.Legality of eavesdropping devices.

5. What makes Wi-Fi susceptible to be compromised?

6.How to Secure Wi-Fi Networks?

7.Wi-Fi Special attacks.

8.How to detect eavesdropping over Wi-Fi?


Table of ContentsPart II: Project presentation

Introduction

1. Experiment Architecture and Scenarios

2. Hosts Installations and Configuration

3. Tuning CommView sniffer for experiment

4. Conducting the Experiment

4.1. Spying on HTTP (Web Pages)4.2. Spying on FTP (Downloading files)4.3. Spying on SMTP (Emails)

5. IDS Promisacn 3.0

6. References

7. Lab Experiment with ?????


Part IPaper presentation


Eavesdropping

Eavesdropping is the process of gathering

information from a network by snooping on transmitted data.

To eavesdrop is to secretly overhear a private conversation over a confidential communication in a not legally authorized way.

The information remains intact, but its privacy is compromised.


Eavesdropping over wired & wireless networks

Eavesdropping over wired networks Over wired networks eavesdropping is

more difficult It needs the eavesdropper to tap the

network, using a network tap which is a hardware device that provides a way to

access the data flowing across the network.

Can’t be achieved unless the eavesdropper can be in touch with the

wire of the network which is difficult sometimes and impossible the other

times.


Eavesdropping over wireless networks

Easier to be achieved (no compromised dangerous).

You need A computer with wireless network adapter working on

promiscuous mode

To be in the area of the wireless network coverage

To have one of the particular software tools that allows the eavesdropping over Wi-Fi. Commercial name for the 802.11 products.

Eavesdropping over wired & wireless networks


What we need to eavesdrop?

1. Hardware tools

Network adapter supporting promiscuous mode (to intercept and read each network packet especially those of other network address). Ex:

Prism 2, 2.5 and 3.

High-power antennas can be used to provide intercepting wireless traffic

from miles away.


What we need to eavesdrop?

2. Software tools

Any Wireless Packet Sniffer can be used

Widely available for sale and even free over the Internet

Ex:

Network Stumbler, Hitchhiker, Aircrack-ng, Wireshark, Kisemet, Commview, Javvin packet

analyzer, Wildpackets, Network monitor, Wireless monitor


Be aware of the legal issues before you buy eavesdropping devices.

It is a crime in most countries to eavesdrop on someone’s privacy

But as network administrators need to analyze traffic on their networks (debug networks, find illegitimately installed access points) they may need eavesdropping devices.

Legality of eavesdropping devices


Most of the network adapters used around the world are unsecured and open to unauthorized use

Many individuals’ and businesses don't understand how to secure a wireless network

Many Wi-Fi products come ready-to-use right out of the box.

What makes Wi-Fi susceptible to be compromised


The only available way to fight eavesdropping is the encryption.

But even using the encryption technique will not prevent capturing the data in its encrypted form.

Securing Wi-Fi Networks?


Simple Steps to Secure Wi-Fi Network

1. Change the Administrative Password on your Wireless Routers.

2. Installing a Firewall. 3. Change the Default SSID Name and

Turn off SSID Broadcasting. 4. Disable DHCP. 5. Replace WEP with WPA.

How to Secure Wi-Fi Networks?


1. Change the Administrative Password on your Wireless Routers.

Routers came with default password to provide easy access.

Changing those passwords is one of

the first recommended steps to do.

Default passwords are posted on the vendor support sites.



2. Installing a Firewall.

A firewall is the fence of your network from any unauthorized

accessing

Can help in the protection of your PC by blocking or allowing the pass to

your network.



3. Change the Default SSID Name and Turn off SSID Broadcasting.

In Wi-Fi a service set identifier (SSID) is a code attached to all packets on a wireless

network to identify each packet as a part of the network.

Changing SSID will necessitate the wireless client computers to enter the name of the SSID by hand before they can connect to

the network.

But even though and because the data packets that are transmitted will include

the SSID it may be discovered.



4. Disable DHCP

Disable the “Dynamic Host Configuration Protocol”

Assign IP addresses to the client computers manually to restrict the

access to the router to specific MAC addresses.



5. Replace WEP with WPA

WEP “Wired Equivalent Privacy” is a security protocol, encrypting data transmitted over the

wireless computer network to provide security and privacy, and to protect the vulnerable wireless link

between clients and access points.

But as WEP is weak and can be cracked in about 3 minutes as the FBI showed in 2005 using some

freely access tools, WPA “Wi-Fi Protected Access” which is more powerful using 128-bit encryption

keys and dynamic session keys, must replace it to provide strong data protection.



Man-In-The-Middle Attack is one of the attacks that can’t be applied to wired networks, it’s just applicable to Wi-Fi.

Hackers can configure a rogue AP to imitate a legitimate AP.

Once the client is connected to the rogue AP, the hacker can perform any attack that involves modifying the packet stream.

Emails can be read, phishing attacks can be implemented etc...

Wi-Fi Special attacks


Some Wi-Fi equipment makers have added more security measures like

Intrusion detection uses position location technology to detect the presence of a malicious station in order to track down the offending station and remove it.

Sniffing node detection tool to detect the Promiscuous Nodes. Ex: PromiScan.

How to detect eavesdropping over Wi-Fi


Part IIProject presentation


Introduction

In this project, I simulate an easy, yet important, eavesdropping wireless attack.

Unsecured wireless sessions can be

target for eavesdropping attackers.

Serious confidential and personal data can be captured, analyzed and even re-transmitted on one’s behalf.


Experiment Architecture and Scenarios

Intruder HP Laptop

Windows XP

CommView for WiFi

Victim LaptopToshiba Windows XP

NetGear Wireless router

Ethernet Intranet

Intranet ServerWindows Server 2000

(Web, Mail, FTP services)Victim Machine

Intruder Machine

Experiment Architecture


The intruder (an upset student) will try to listen to the data flow to/from the victim (his professor) and capture important information about him.

Spying on HTTP (Web Pages)

Spying on FTP (Downloading files)

Spying on SMTP (Emails)

Experiment Architecture and Scenarios

Experiment Scenarios


Hosts Installations and Configuration

Configuration of Victim Machine

Configuring Outlook Express email client

Toshiba Laptop

CPU: Centrino 1.7 Ghz

Memory: 1 GB

Hard Disk: 80 GB

Operating System: Windows XP professional

IP Address: 192.168.1.2



Configuration of Victim MachineConfiguring Outlook Express email client



Configuration of Host Intruder Machine (Laptop)

Installing CommView for Wi-Fi

HP Laptop

CPU: Centrino 1.7 GHz

Memory: 512M

Hard Disk: 60 GB

Operating System: Windows XP professional

IP Address: NO IP ADDRESS

CommView For Wi-Fi (packet sniffer and generator)



Configuration of Host Intranet Server

Installing IIS, SMTP and FTPConfiguring IIS, SMTP, FTP

IBM server

CPU: Xeon 3.00 GHz

Memory: 256 MB

Hard Disk: 80 G

Operating System: Windows 2000 Advanced Server (Ser)

IP Address: 192.168.1.100

Application: MS-IIS web server, SMTP Relay service, FTP service.

Note: For assist limitation: This server is implemented using VMware ver 4.0. A virtual machine application that runs on top of the installed operating system. I had to use it because the installed OS (windows XP) doesn’t support web services (IIS, SMTP, FTP).

100 Mbps UTP connection to Access point




ON windows 2000 server, start->setting -> control panelAdd/Remove program, Add/Remove windows ComponentsCheck the checkbox of IIS services




For the HTML, add the file called default.htm to the folder c:\inetpub\wwwroot.



Configuration of Host Intranet Server For SMTP, configure mail server domain name. start programs administrative tools Internet

Services Manager. Click on SMTP. Right click on domain. Click Add new domain and type uwindsor.ca.




FTP needs no configuration. Just need to add some file to the ftproot folder. These files will be downloaded

by clients.



Configuration of Access point Router

SSIDIP address

DHCP serviceChannel ID

Brand Name: Netgear 54 wireless router XG614v7

SSID name: Stay Away

Channel ID: 2

4 ports UTP switch (Intranet server is connected via)

Operating System: Windows 2000 Advanced Server (Ser)

IP Address: 192.168.1.1

Acts as a router between the wireless network and the intranet network as shown in figure 1



Configuration of Access point Router

Configure

Netgear using HTTP browser typing HTTP://192.168.1.1

Type the name in the SSID name.

In the channel field, select the channel.

Make sure the security field is “none”.



Configuration of Access

point Router

Configure the IP address and the DHCP of

the AP


Tuning CommView sniffer for experiment

Starting CommView for Wi-Fi, Click on File menu then select start capture.



Configure the channel number To limit the search



Configure IP aliases to simplify the analysis of the captured packets by showing the alias name instead of IP address.

click on Settings IP aliases, Type in the IP address of each host involved in the scenario



Configuring CommView Rules (Filters) Click on Rules tab Enable IP address rules Check the Capture option, Check the Both option Type the IP addresses of the entire host



Configuring CommView Rules (Filters)

My scenario is to capture certain packets so only sniff the following set of protocols



Configuring CommView Rules (Filters) Click on Rules tab Tell the sniffer to only sniff the following set of protocols TCP port 80 for HTTP TCP port 20, 21 for FTP TCP port 25 for SMTP (mail).


Conducting the Experiment

Start Eavesdropping Start CommView by clicking on File --> start capture From the scanning window, click on start scanning




In this attack the intruder will spy on the victim http traffic. The Victim is accessing a web server and reading a specific important confidential page from his corporate web server.

The victim will type in the web browser the website name (here it is an IP address 192.168.1.100)

After performing the previous step, CommView packet tab shows that there are 45 packets has been captured.



Spying on HTTP (Web Pages) To make it easier for the intruder to

actually see what the victim was watching the intruder can reconstruct the HTTP session and view it as a web page with some format limitation. To do this the intruder can simply right click on any HTTP packets and select “Reconstruct TCP session.


Conducting the ExperimentSpying on HTTP (Web Pages)


Conducting the Experiment Spying on HTTP (Web Pages) CommView was even able to show images transferred

during the HTTP session



Spying on FTP (Downloading files)

The victim will connect to an FTP server to download an important confidential file. The victim will do the following steps

From command prompt victim will connect to the ftp server entering administrator account and password and then downloading a configuration file called rules.txt



Spying on FTP (Downloading files)This screen is from the victim’s laptop.


Conducting the Experiment Spying on FTP (Downloading files) The intruder was able to capture the whole session in 67

packets. The username and password where captured. All the commands issued by the victim where gathered as well as a copy of the downloaded text file.


Conducting the ExperimentSpying on FTP (Downloading files)Copy of the downloaded text file.


Conducting the ExperimentSpying on SMTP (Emails)The victim, using his Outlook Express sends a confidential email to

Dr. Aggarwal



Spying on SMTP (Emails)CommView captured the email, the sender, the receiver and the

subject



• This whole experiment was happened over a non secure network.

• I conducted the same detailed experiment but

over a secure network using WEP security and the results were the same as over a non secure network.

• But when I conducted the same experiment over

a secure network using WPA security, the laptop using sniffer couldn't even connect to the network.


IDS Promisacn 3.0

The intrusion detection system that can detect the Promiscuous sniffing nodes (Eavesdropping) is called PromiScan.

But due to its high price 500$ I couldn’t used it . The free trial version of that software has many

limitations (Special IP address range) and I actually spend more than 10 hours trying it but without any results.


References

[1] M. Domenico, A. Calandriello, G. Calandriello and A. Lioy. Dependability in Wireless Networks: Can We Rely on WiFi?. IEEE Security and Privacy, 5(1):23-29, 2007

[2] www.london-wifi.com [3] www.wlantenna.com/wlantenna.htm [4]

http://www.tscmvideo.com/eavesdropping/eavesdropping-device.html

[5] LucidLink, the network security products company, WiFiTheft.com, wifi.weblogsinc.com, WarDriving.com, Wigle.net, www.intelligentedu.com

[6] Wikipedia encyclopedia. Eavesdropping on Wi-Fi, chapter 6 page 122

[7] http://www.sciam.com/article.cfm [8] A. Nicholson and B. Noble. Automatic Network Management for

Mobile Devices. In Proc. Seventh IEEE Workshop on Mobile Computing Systems & Applications, IEEE Computer Society, pages 47–47, 2006.

[9] Eavesdropping on Wi-Fi, chapter 6 page 122 [10] The experiment Scenario figure, Eavesdropping project. [11] www.securityfriday.com/products/promiscan.html


Questions in the lab

presentation

Documents

secure wifi network

network packet

wireless network adapter

wireless computer network

network monitor

wireless network coverage

network tap

network stumbler