Discuss/describe the attacks associated with WEP, WPA, WPA2 or Bluetooth

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Contents
Topic 1: Analogy ……………………………………………………………………………………………………………… 2
Analogy: The Magic of Encryption ………………………………………………………………………………….. 2
Topic 2: Module Introduction …………………………………………………………………………………………….. 4
Topic 3: 802.11 Wireless LAN Technology …………………………………………………………………………. 5
Introduction to 802.11 WLAN …………………………………………………………………………………………. 5
W LAN Infrastructure …………………………………………………………………………………………………….. 7
Connecting to a Wireless Network ………………………………………………………………………………….. 9
Understanding 802.11 WLAN Vulnerabilities ………………………………………………………………….. 14
Basic Security Mechanisms …………………………………………………………………………………………. 15
Activity ………………………………………………………………………………………………………………………. 17
Topic 4: 802.11 WLAN Discovery…………………………………………………………………………………….. 19
Tools and Scanners ……………………………………………………………………………………………………. 19
Rogue Hunt ……………………………………………………………………………………………………………….. 22
Topic 5: 802.11 Security Protocols …………………………………………………………………………………… 23
IEEE 802.1x/EAP ……………………………………………………………………………………………………….. 23
Encryption Protocols—A Comparison …………………………………………………………………………… 25
W EP …………………………………………………………………………………………………………………………. 27
W EP Attacks ……………………………………………………………………………………………………………… 29
ChopChop Attack Demo ……………………………………………………………………………………………… 31
W PA/WPA2 Attacks ……………………………………………………………………………………………………. 41
Activity ………………………………………………………………………………………………………………………. 45
Topic 6: Bluetooth ………………………………………………………………………………………………………….. 47
W hat Is Bluetooth? ……………………………………………………………………………………………………… 47
Topic 7: Summary………………………………………………………………………………………………………….. 49
Glossary……………………………………………………………………………………………………………………….. 50

© UMUC 2011

Page 1 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 1: Analogy
Analogy: The Magic of Encryption
Wireless LAN Security
CSEC640 – Module 9
The Magic of Encryption
IT security managers use a variety of encryption protocols, cloaking mechanisms, and
address filtering processes to protect their companies’ proprietary data. Similarly, the
Modern Museum of Magic uses security protocols to safeguard its magic books.
Step 1
The Modern Museum of Magic displays props, sells souvenirs, and hosts a daily magic
show. Headed by the popular magician Maddox, the museum stores the secrets of every
magic trick in a central safe in the museum’s basement.
Maddox: Hi, I’m Maddox. I am the head of the Modern Museum of Magic. To ensure
that our magic trick books are only accessed by authorized people, we follow strict
security protocols.
Maddox: These protocols allow the books to travel safely from the safe to my office and
back without people getting their hands on them.
While Maddox is busy guarding his magic books, across the street an IT manager,
Justine Jackson, is busy guarding the data on her network.
Justine: Hello, I’m Justine. I’m a manager at a reputable IT company. We’ve installed a
new wireless network to store and transfer our proprietary data. To protect this data, my
team has placed layered security protocols that guard the network at multiple
checkpoints.
Justine: All possible vulnerabilities that can be exploited, such as logins and file
transfers, have been given special encryption mechanisms.
Step 2
Museum
Authorized persons need an ID card to enter the museum. Senior managers need
biometric clearance to enter the basement and an encrypted 8-digit password to access
the safe.

© UMUC 2011

Page 2 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Maddox: The password used to enter the safe is changed daily by an outsourced
security agency and sent to me at midnight. These layers of protection ensure that the
magic trick books are protected.
IT Company
To access the wireless network, authorized employees must login with unique
usernames and passwords. To transfer confidential reports, they must use WEP and
WPA encryption codes. If at any point, the network is under attack, network
administrators can hide or cloak the network’s SSID so that hackers will not be able to
detect it.
Justine: Cloaking the SSID is a trick similar to Maddox the magician making the Empire
State Building disappear!
Step 3
Defense in Depth Strategy
Network protocols, like the different layers of museum security, are more difficult to crack
as you get deeper. This is known as a defense in depth strategy and is adopted by most
software engineers.
It is a security mechanism that makes it difficult for hackers to accomplish their goal.
Only the most determined person—who has knowledge and the required skill—can
penetrate the security layers. There is no foolproof security, but there is reasonable
prudence.

© UMUC 2011

Page 3 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 2: Module Introduction
Wireless communication is one of the cornerstones of digital infrastructure. Consumer
electronic devices, such as cell phones, laptops, and televisions, all rely on wireless
local area networks (WLANs) to transfer voice and data. Corporations rely on WLANs to
stay connected to their employees and clients.
As WLANs become more widespread, the security implications of using them also
become critical. Millions of users transfer personal and privileged information daily on
their WLANs. It is paramount that these wireless networks provide their users reliability
and security against hacker theft.
This module introduces WLANs and examines two of the most commonly used wireless
technologies, 802.11 WLAN and Bluetooth. The module discusses how these
technologies are structured, the attack vectors they are vulnerable to, and the security
mechanisms that keep them resilient.

© UMUC 2011

Page 4 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 3: 802.11 Wireless LAN Technology
Introduction to 802.11 WLAN
802.11 Wireless Local Area Network (WLAN) is today’s most widely used technology for
data transfer.
Technology Standards
Developed by a working group of the Institute of Electrical and Electronics Engineers
(IEEE), the IEEE 802.11 standard refers to a family of specifications for WLAN.
The standard has continuously improved with the release of 802.11a, 802.11b, 802.11g,
and 802.11n. 802.11g is the most widely used standard, and 802.11n is the most
recently developed standard.
Communication Technique
802.11 WLAN technology uses radio frequencies to facilitate communication. The rate of
data transfer, the radio frequency used, and the range of mobility differ for each 802.11
variant.
IEEE
Standard

Top Data
Rate

Radio
Frequency

Approximate
Range

802.11

2 Mbps

2.4 Ghz

60 ft

802.11a

54 Mbps

3.7/5 Ghz

100 ft

802.11b

11 Mbps

2.4 Ghz

125 ft

802.11g

54 Mbps

2.4 Ghz

125 ft

802.11n

300 Mbps

2.4/5 Ghz

230 ft

Benefits and Limitations
The 802.11 WLAN offers many benefits to its customers but has a few limitations.
Benefits
1. Mobility: A W LAN enables wireless devices to join an IP LAN. This allows wireless
network users to connect to existing networks and still roam freely with their devices.
2. Ease of Deployment: Unlike wired networks, wireless networks do not require
running cables. These cables are time-consuming to create, expensive, and often
involve construction of infrastructure.
3. Flexibility: Once wireless infrastructure is implemented, service can be provided to
many clients without changes to the infrastructure. This kind of flexibility is a good
solution for clients whose coverage area constantly increases or decreases or who
find it costly to implement a wired solution.

© UMUC 2011

Page 5 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Limitations
1. Bandwidth: Even the fastest wireless connection is slower than a wired connection.
For instance, the top speed of 802.11n is 300Mbit/s, whereas wired connections
easily go up to 1Gbit/s, depending on the network interface card.
2. Security: Communication transmitted on a WLAN is available to anyone within the
transmitter’s range whose equipment includes an appropriate antenna.

© UMUC 2011

Page 6 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 3: 802.11 Wireless LAN Technology
WLAN Infrastructure
The hardware used in 802.11 WLAN includes the network interface cards (NICs) used
by the clients and the access points (APs) or routers available from the service provider.
For instance, this diagram shows a wireless client and the NIC card attached to it; a
wireless AP/router that is attached to the provider’s server; and the network channels
that transport data between the NIC and the AP.
An IEEE 802.11 WLAN consists of one or more Basic Service Sets (BSS). The BSS is a
basic building block of a WLAN. A BSS includes an AP and one or more stations (STAs).
A STA is a wireless endpoint device. Typical examples of STAs are notebook computers
with IEEE 802.11 capabilities. The AP in a BSS connects the STAs to external (e.g.,
Internet) or internal networks.

NIC
Clients use wireless NICs to connect to any available access point, such as a universal
serial bus (USB), a peripheral component interconnect (PCI), or a personal computer
(PC) card developed by the Personal Computer Memory Card International Association
(PCMCIA).
AP
Access points are wireless switches/routers that connect the wireless client to a wired
network. Connecting to an AP is similar to plugging into a wired network, as APs are
layer 2 devices that function as an Ethernet hub, router, and switch at the same time.
APs have the option of broadcasting their service set identifier (SSID) to allow clients to
distinguish multiple networks in the area. Multiple APs can be combined to provide larger
coverage while still appearing as a single network.
Channels
Each AP requires only a fraction of the frequency associated with the standard it is
operating on. These fractions are referred to as channels, which vary from 10 to 40 MHz
in width depending on the standard.

© UMUC 2011

Page 7 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

For example, an AP operating on the 802.11g standard can choose from 14 overlapping
channels in the 2.4 GHz range. Each channel has a width of 22 MHz.

© UMUC 2011

Page 8 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 3: 802.11 Wireless LAN Technology
Connecting to a Wireless Network
Clients connect to a wireless network through a series of transactions between the
client’s NIC and the network’s AP.
WLAN Connection Process
Step 1

The AP periodically broadcasts packets called beacons to advertise its presence. These
beacons contain the SSID or NULL, if not set.

© UMUC 2011

Page 9 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Step 2

The client NIC sends a probe request to connect to a specific AP. The AP responds to
that request with its settings, which include the data rate, SSID, and security
implementation.
Step 3

The client’s NIC sends an authentication request to the AP, to which the AP responds
with a ―success‖ or ―failure‖ status.

© UMUC 2011

Page 10 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Step 4

Once the client NIC is successfully authenticated, the NIC sends an association request
to the AP. The AP responds by setting up the data link and mapping an association
identifier (AID) to the client. The wireless connection is finally established.

© UMUC 2011

Page 11 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Beacon Packet
This W ireshark screenshot shows a regular beacon frame with the timestamp, beacon
interval, and SSID parameter set.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

© UMUC 2011

Page 12 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Association Reply Packet
This Wireshark screenshot shows a successful association to an AP. The AID is
equivalent of a port on a switch and helps the network keep track of all the clients that
are active at a moment in time.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

© UMUC 2011

Page 13 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 3: 802.11 Wireless LAN Technology
Understanding 802.11 WLAN Vulnerabilities
The 802.11 WLAN is vulnerable to attacks due to its poor configuration and encryption.
Vulnerabilities Due to Poor Configuration
While WLANs are easy to deploy, their configuration is not airtight. This poor
configuration leads to inadequate or zero security for wireless network users and results
in a wide range of vulnerabilities.
For instance, WLANs are vulnerable when:
Wireless networks are open and do not ask for client authentication at login
APs are placed in a physically unsecured locations
APs are configured with inadequate security mechanisms
Vulnerabilities Due to Poor Encryption
Even if the AP is physically secure and an encryption protocol is in place, the AP may
still be vulnerable due to problems with the encryption protocols themselves. Though
there are many wireless encryption standards, problems have surfaced with most of
them.
Examples:
The wired equivalent privacy (WEP) security standard is flawed and can be defeated
in a number of ways.
The Wi-Fi Protected Access-Pre-Shared Key (WPA-PSK) and WPA2-PSK technique
is vulnerable to brute-force and dictionary attacks.
The Wi-Fi Protected Access-Temporal Key Integrity Protocol (WPA-TKIP) can be
vulnerable to DoS attacks.

© UMUC 2011

Page 14 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 3: 802.11 WLAN Technology
Basic Security Mechanisms
To provide a solution to the poor configuration issues faced by the WLAN 802.11,
network operators employ two basic security mechanisms: they cloak the network and
filter media access control (MAC) addresses.
Step 1
The Transmitting Beacon
The beacon frame is a management frame in 802.11 WLAN. It contains information
about the AP transmitting the beacon, specifies the time interval between beacon
transmissions, and lists the supported data rates, timestamp, and the SSID of the
network.
Step 2
Cloaking the Network
Any unauthorized person equipped with a PC, a wireless sniffing tool, and a wireless
card or antenna can access this beacon. Through the beacon, anyone can scan or
eavesdrop on the network to locate user credentials and confidential data. The operator
of the AP can choose not to broadcast the SSID of the network. This is known as
network cloaking.
Step 3
Network Still Visible
In a cloaked network, only people who know the network’s name will be able to connect
to it. However, disabling the SSID in the beacon broadcasting still leaves the network
open. The presence of the network is still visible to everyone in range, and the network
name could be determined by a third party who listens in on legitimate clients connecting
to the network.
Step 4
Decloaking the AP
Cloaking, however, is not foolproof. Hackers can still intercept the traffic generated by
clients and discover the network. When a client joins an AP with cloaked SSID, during
the authentication the SSID is sent in plaintext. This transmitted data is visible to anyone
in range, and hackers can use the observed transmission to infer the presence of a
cloaked network and ―decloak‖ the AP.
Step 5
MAC Address Filtering
The other option is allowing only certain MAC addresses to access the network. Each
NIC has a unique MAC address assigned to it. This address can be used to identify the
make and model of the NIC. The AP operator can use these MAC addresses to provide
service only to known NICs. This is known as MAC address filtering.

© UMUC 2011

Page 15 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Step 6
Filtering Effort Defeated
However, there are loopholes to filtering MAC addresses. Hackers can spoof an
authenticated client’s MAC and connect to the network once the client is no longer
associated with the AP and easily defeat the filter.

© UMUC 2011

Page 16 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 3: 802.11 WLAN Technology
Activity
These are the steps required to establish a WLAN connection. Can you place them in
the correct order for the WLAN connection to be established?
Steps

Correct Order

The NIC sends a probe request to connect to a
specific AP. The AP responds by communicating
the data rate, SSID, and security implementation.
The AP broadcasts beacons with the SSID.
The NIC sends an association request to the AP.
The AP responds by setting up the data link and
mapping an AID to the client.
The NIC sends an authentication request to the
AP. The AP responds with a ―success‖ or ―failure‖
status.

Correct Answer:
Steps
The NIC sends a probe request to connect to a
specific AP. The AP responds by communicating
the data rate, SSID, and security implementation.
The AP broadcasts beacons with the SSID.
The NIC sends an association request to the AP.
The AP responds by setting up the data link and
mapping an AID to the client.
The NIC sends an authentication request to the
AP. The AP responds with a ―success‖ or ―failure‖
status.

Correct Order

2

1

4

3

Feedback:
Here is the correct order of the steps required to establish a WLAN connection:
1. The AP broadcasts beacons with the SSID.
2. The NIC sends a probe request to connect to a specific AP. The AP responds by
communicating the data rate, SSID, and security implementation.

© UMUC 2011

Page 17 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

3. The NIC sends an authentication request to the AP. The AP responds with a
―success‖ or ―failure‖ status.
4. The NIC sends an association request to the AP. The AP responds by setting up the
data link and mapping an AID to the client.

© UMUC 2011

Page 18 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 4: 802.11 WLAN Discovery
Tools and Scanners
WLAN discovery is the process of listing all available wireless networks within range and
is the first step in wireless penetration testing, or ―pentesting.‖ WLAN discovery tools fall
under two categories: active and passive scanners.
Active Scanner
Step 1

Active scanners send probe requests to all nearby APs with SSID set to ―ANY.‖
Step 2

Most routers reply to these probe requests with broadcast beacons, which the scanner
© UMUC 2011

Page 19 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

uses to detect the existence of an AP. Broadcast beacons are transmitted by all APs
periodically and usually contain the SSID. Active scanners can discover these networks.
Passive Scanner
Step 1

Passive scanners monitor all traffic generated on the radio frequency, including
broadcast beacons.
Step 2

They are able to detect ―hidden‖ networks by inferring the presence of the networks via
data traffic. Pentesters prefer passive scanners since they don’t directly interact with any
of the APs, making them harder to spot.

© UMUC 2011

Page 20 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Step 3

Reference: Kismet product screenshot reprinted with permission from Kismet Wireless.

Kismet is an 802.11 wireless network detector and sniffer for the UNIX environment.
Kismet passively collects beacon packets to detect standard named and hidden
networks. After identifying the network, it decloaks clients that join in. This screenshot
shows the available wireless networks in range with hidden networks displayed as <no
ssid>.

© UMUC 2011

Page 21 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 4: 802.11 WLAN Discovery
Rogue Hunt
A ―rogue‖ wireless access point is an unauthorized router that is:
Installed by a company employee who sets up unauthorized wireless connectivity
Placed on a company LAN behind a corporate firewall
Left in its factory default state, in which it is completely open and unsecured
Companies with LANs should run routine checks or conduct rogue hunts for
unauthorized APs as part of their regular network security audits.
Rogue Hunt
To conduct a rogue hunt, network operators periodically run wireless scanners from
multiple points in the area under investigation to spot networks and pinpoint their
physical locations.
Rogue Neglect
Most companies, however, do not use authorized wireless services, so they neglect
wireless security and fail to conduct wireless checks. Unfortunately, this attitude
encourages the possibility of rogue devices being installed by employees or hackers.

© UMUC 2011

Page 22 of 51

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC640

Topic 5: 802.11 Security Protocols
IEEE 802.1x/EAP
IEEE 802.1x, a port-based network access control, is a standardized authentication
framework and layer 2 protocol designed to provide enhanced security for wireless LAN
users. IEEE developed the 802.11i standard for WLAN authentication and authorization
to use IEEE 802.1x.
802.1x authenticates the network client or user, not the network’s hardware.
Authentication is carried out by:
Checking the information or credentials of network clients before their data is
transmitted across network devices.
Defining how the extensible authentication protocol (EAP) frames can be
encapsulated between a user’s computer and a switch or wireless access point.
No longer requiring the AP to advertise their SSID. Users just make an access
request to the WLAN by providing their credentials, such as username/password, to
APs.
There are three primary components in the IEEE 802.1x authentication process.

Supplicant or Client
The supplicant is any user device—PC, notebook, IP Phone—that supports the IEEE
802.1x and EAP standards. Supplicants send their login credentials to the authenticator.
Authenticator
The authenticator is a switch or wireless access point that acts as a proxy to relay a
user’s credentials between the supplicant and the authentication server. When the
authenticator receives the credentials via EAP over LAN (EAPOL) frames, it passes
them to the authentication server. In this way, the authenticator manages to enforce
physical access control to the network without directly authenticating the
supplic…

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

About Writedemy

We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.

How It Works

To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Are there Discounts?

All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Hire a tutor today CLICK HERE to make your first order