Demo of an intrusion detection system for 802.11 WLANs

Difficulties encountered and solutions （trouble shooting）

In fact, we did not run into serious trouble in this project, but we think it necessary talk about some difficulties involved.

Being not familiar with the software involved in the project may be the most annoying difficulty, because we all had no experience in Linux which we had to type commands into. Fortunately, it did not block us. We soon get used to this through attacking a wireless network with WEP encryption.

Next we continued to decrypt WPA network. However, this was a tough job compared to that of WEP for the more complex encryption. Apparently, enumeration method is not feasible here because the computation would be too much. Thus, we utilized dictionary files to help find the key. Here we met another problem: the dictionary file seemed useless. After a large amount of time, the computer was still working. In this case, we inferred that the dictionary file did not match the network under attack, so we used other dictionary files and we did not succeed until the third one was applied.

At last we encountered the final trouble and it nearly destroyed our project. The trouble occurred on Kismet (the detecting software). At first we did not know how it came at all because we had lock the detecting channel to what we want and everything seemed correct, but we just could not figure out it. The attack was successful, but Kismet showed no information detected and no alert file was generated. We tried every method we could but all in vain. Eventually, the problem became clear, in the same channel, there were also other network frames involved which should be eliminated. So we locked detection to our access point and it made the project go on. Kismet could perfectly detect. Also, about the alert file, it is written every five minutes, so it cannot be seen immediately. In the last trial, we got everything we want and we can declare the success of our project. 

Simple Introduction to WPA encryption

After finding the flaws of WEP, Wi-Fi Protected Access (WPA) was invented to replace it and provide higher security level.
Compared with WEP, WPA has doubled the length of IV and the Temporal Key Integrity Protocol (TKIP) could dynamically generates new key for each packet and the check algorithm has been upgraded. the "Michael" has replaced the CRC (Cyclic Redundancy Check). The following Figures show the configuration of two level of WPA keys:

1. Pairwise Key

2. Group Key

Simple Introduction to WEP encryption

WEP( wired equivalent privacy) is a security algorithm for 802.11 wireless networks. It was widely used but now it is replaced by some innovative method such as WPA or WPA2 because it has been proved that WEP has some drawbacks and it is easily and instantly broken. The following Figure would show its configuration and the process of encryption and decryption:

Obviously, WEP compromised of IV (Initial Vector) and key.

           WEP use stream cipher RC4 to encrypt the code.

           XOR gates are both used in encryption and decryption.
Nowadays, WEP is still used but it could disappear someday because its security is not completely guaranteed.

Introduce type of frame 2

Question: What is the data frame?
Answer: It carries protocol data with higher-level in the body of frame. 







                                                     General data frame
In addition, some fields in this figure will not be used. (It depends on different particular type of data frame)

Question: What are different types of data frame?
Answer:

Question: What is the use of the address fields in data frames?
Answer: 


The means of abbreviation are in "description of this project"
To DS means from BSS to DS
From DS means from DS to BSS

Question: What is the management frame?
Answer: A large component of 802.11 specification. Several and different management frames are used for providing services which are simple on the wired-network. It is easy to establish the identity of a network station on a wired network because of requirement of network connections with dragged-wires from a central location to a new workstation. For example, a personal visit can authenticate to new network connections while the new connection has been brought up.
                                  The structure of management frame

Question: What are the subtypes of the management frame?
Answer:
a. Beacon (modify)
b. Probe (request and response)
c. Authentication (request and response)
d. Association (request and response)
e. Reassociation (request and response)
f. Disassociation (modify)
g. Deauthentication (modify)

Introduce type of frame 1

Question: What is the frame?
Answer: Frame is a kind of data packet which is on the 2nd layer of the OSI model (as introducing in "description of this project"). It is defined as the transmission unit in the link layer protocol. A frame includes a link-layer header with a following packet (consist of payload and control information).

Question: How many types of frame? And what are they?
Answer: Three types. They are: data frame, control frame and management frame.

Question: What is the control frame?
Answer: Control frames can assist the data frames delivery, administer the access to wireless medium. In addition, they provide functions of MAC-layer reliability.

Frame Control field in control frames

Protocol version: The protocol version is 0(It is the only version in current)

Type: In definition, control frames are assigned the type identifier 01. 

Subtype: the subtype of the control frame

ToDS and FromDS bits: Both of them are 0 because of no sending and receiving to control frames by the distribution system

More Fragments bit: Control frames are not fragmented, 0.

Retry bit: Control frames are not queued for retransmission like management or data frames, so this bit is always 0.

Power Management bit: To indicate the power management state of  sender.

More Data bit: Only being in management and data frames, so it is set to 0.

WEP bit: Control frames might not be encrypted by WEP and the WEP bit is always 0.

Order bit: This bit is set to 0.

Question: How many subtypes of control frame are included? And what are they?
Answer: Four subtypes and they are Request to Send, Clear to Send, Acknowledgment and Power-Save Poll.

Request to Send (RST)
RTS frame is used to enhance control of the medium for large frames transmission.

Clear to Send (CST)
The CTS frame answers the RTS frame.


Acknowledgment (ACK)
ACK frame is used with any data transmission and is used for sending positive acknowledgments required by the MAC.

Power-Save Poll (PS-Poll)

When a mobile station wakes from power-saving mode, a PS-Poll frame will be transmitted to the AP for retrieving any frames buffered since in power-saving mode.

Gantt Chart（so far)

Brief summary of Week 3 (success in both attack and detection)

Following the success of last week, we got through the tasks for this week satisfyingly and the final completion seems to be coming.

Since we did not meet the requirement of learning 802.11 MAC frames, we first supplemented some knowledge about it and we would like to learn more about types of MAC frames in the next week.

This week, the three main achievements are realizing the deauth attach, the decryption and the corresponding detection to a WPA-encrypted network. WPA2 is more complex but theoretically similar, so we temporarily skip it and will experiment on a network of this type if time allows.

First, let’s take a look at the deauth attach. The result is shown in the screenshot below:

As the picture shows, we used the command ‘aireplay-ng’ again to realize the attack. The number ‘100’ in the code means to attack 100 times and the following two addresses indicate the AP and a client respectively. As a result, the connection between them was cut off.

Next is the decryption. As method of exhaustion costs too much time, we downloaded a dictionary file to help encrypt and apparently this method is rather convenient. The key was quickly found, namely ‘qwertyui’ as we set before. The result is shown in the screenshot below:

Finally, we used Kismet to detect the intrusion. All networks and attacks were under the detection of Kismet. When a client was attacked, Kismet started to analyse and an Alert file was generated. The result is shown in the screenshot below:

We can find ‘broadcast deauthenticate/disassociation’ repeatedly which indicate the network being attacked.

However, we are still trying to inform the clients of the attack in some way.

Next week, we will get more familiar with Kismet and concentrate on some details. In addition, our blog and poster need some attention. 

brief summary of week 2 (first successful attack trial)

Unfortunately, we did not meet all the requirements that supervisor gave, especially, the concept of 802.11 MAC frame. Thus, next week before everything we should search and get at least simple understanding of it. The attachment gives explanation of the frame. (How 802.11 wireless work)

This week, what we have done is that we had checked configuration of the WEP and WPA encryption which is often used for wireless network password. In addition, we have successfully complete the deauth attack and injection attack with the WEP encryption yet the decryption of WPA needs more effort. We have already get the password of WEP encrypted wireless network. The demonstration and the screenshots are shown below:

The first step is to turn on the monitoring mode with "airmon-ng" and monitor specific channel by filtering the BSSID with "airodump-ng" to target on the aimed AP. The packets would be caught and written into a file with a name customized by the attacker.

It could be very slow to caught enough packets at a short time, thus we use the command in the figure above, the "aireplay-ng" to send packets to the AP.

After we have enough packets, i.e. enough information, we simply use the "aircark-ng" corresponding to the written file mentioned above, and we got the password: 12345, just as we set.

Compared with WPA encryption, the length of IV (initial vector) has been lengthened and the TKIP (temporal key integrity protocol) make it possible to dnamically generates a new 128-bit key for each packet. Thus, the old method for WEP does not work.
Two solutions: One is using reaver to implement exhaustive method and the whether it could find the right password or not depends on luck or it could take incredibly long time to do it.
The other is to deauth one user device and get a handshake packet when it reconnect to the AP. The handshake packet could help the decryption.
However, the decryption of WPA needs time valued by days even the handshake packet is got.

Therefore, our team would try to work on WPA and learn how to pretend to be a fake AP. If we have extra time, we would start to try the kismet used for intrusion detection.
PS: we would be familiar with the concept of the 802.11 frame.

The first time attempt of Linux

Last Friday, we tried to use Linux (version: BackTrack 5 and Kali Linux) in laboratory. It had to say that it's the first time for most of our group numbers to use this operating system. Different with popular Graphical Operating System as Windows and MAC OS, Linux is the Open Source Operating System. For user who  Therefore, it was hard to operate this system fluently, let alone attack or defense. Every time if we wanted to make an operation, an command should be inputted and that's the difficult point we are not familiar with these codes. For this reason, although we've known what software we need such as aircrack, it was useless when the entered commands were incorrect or null. At this time, Andrew helped us to solve this problem. He has explained the details about some commands and demonstrated once how to attack designated AP. we believed it was beneficial for us to do this experiment next time. After consideration, we decided to install Kali Linux in our individual computer because Kali Linux is the new version including all useful software in this experiment.

Ps: the photo below is the screenshot of  the example Andrew provided about how to use the attack method, BSSID, which would shut down the signal emitting function of the AP.