СЦЕНАРІЙ АТАКИ З ВИКОРИСТАННЯМ НЕСАНКЦІОНОВАНОЇ ТОЧКИ ДОСТУПУ У МЕРЕЖАХ IEEE 802.11

One of the most serious security threats to wireless local area networks (WLANs) in recent years is rogue access points that intruders use to spy on and attack. Due to the open nature of the wireless transmission medium, an attacker can easily detect the MAC addresses of other devices, commonly used as unique identifiers for all nodes in the network, and implement a spoofing attack, creating a rogue access point, the so-called "Evil Twin". The attacker goal is to connect legitimate users to a rogue access point and gain access to confidential information. This article discusses the concept, demonstrates the practical implementation and analysis of the “Evil Twin” attack. The algorithm of the intruder's actions, the scenario of attack on the client, and also procedure for setting up the program-implemented rogue access point is shown. It has been proven that the implementation of the attack is possible due to the existence of several access points with the same service set identifier and MAC address in the same area, allowed by 802.11 standard. The reasons for failure operation of the network and possible interception of information as a result of the attack are identified, methods of detecting rogue access points are analyzed. During the experiment, observations of the 802.11 frames showed that there were deviations in the behavior of beacon frames at the time of the "Evil Twin" attack. First, the number of beacon frames coming from the access point which succumbed to the attack is increasing. Secondly, the traffic analyzer detected significant fluctuations in the values of the received signal level, which simultaneously come from a legitimate and rogue access point, which allows to distinguish two groups of beacon frames. The "Evil Twin" attack was implemented and researched using Aircrack-ng – a package of software for auditing wireless networks, and Wireshark – network traffic analyzer. In the future, the results obtained can be used to improve methods of protection against intrusion into wireless networks, in order to develop effective systems for detecting and preventing intrusions into WLAN.Однією з найсерйозніших загроз безпеці безпроводових локальних мереж (WLAN) в останні роки є шахрайські несанкціоновані точки доступу, які зловмисники використовують для шпигунства і атак. Через відкритий характер середовища передачі безпроводових мереж, зловмисник може легко виявляти МАС-адреси інших пристроїв, що зазвичай використовуються як унікальні ідентифікатори для всіх вузлів в мережі та реалізовуючи спуфінг-атаку, створювати несанкціоновану безпроводову точку доступу, так званий, "Злий двійник" (“Evil Twin”). Зловмисник має на меті перепідключити законних користувачів до шахрайської точки доступу та отримати доступ до конфіденційної інформації. У даній статті розглянуто концепцію, продемонстровано практичну реалізацію та досліджено атаку “Evil Twin”. Показано алгоритм дій зловмисника, сценарій атаки на клієнта, а також процедуру налаштування програмно-реалізованої несанкціонованої точки доступу. Доведено, що реалізація атаки можлива завдяки, дозволеному стандартом 802.11, існуванню кількох точок доступу з однаковими ідентифікатором набору послуг та MAC-адресою в одній і тій же області. Виявлено причини порушення функціонування мережі та можливого перехоплення інформації в результаті атаки, проаналізовано сучасні методи виявлення несанкціонованих точок доступу. В ході експерименту, проведено спостереження за кадрами 802.11 та показано, що існують відхилення в поведінці кадрів-маяків під час атаки "Evil Twin". По-перше кількість кадрів-маяків, які надходять від точки доступу, що піддалась атаці, зростає. По-друге, аналізатором трафіку зафіксовано суттєві флуктуації значень рівня прийнятого сигналу, які одночасно надходять від легітимної та шахрайської точки доступу, що дозволяє виділити дві групи кадрів-маяків.  Реалізація та дослідження даного виду атаки проведено з використанням пакету програм для аудиту безпроводових мереж Aircrack-ng та Wireshark для захоплення і аналізу мережного трафіку. В подальшому отримані результати можуть бути використані для вдосконалення методів захисту від стороннього втручання в безпроводові мережі, з метою розробки ефективних систем виявлення і запобігання вторгнень в WLAN

A measurement based rogue ap detection scheme

points (APs) that pretend to be legitimate APs to lure users to connect to them. We propose a practical timing based technique that allows the user to avoid connecting to rogue APs. Our method employs the round trip time between the user and the DNS server to independently determine whether an AP is legitimate or not without assistance from the WLAN operator. We implemented our detection technique on commercially available wireless cards to evaluate their performance. I

IEEE 802.11 user fingerprinting and its applications for intrusion detection

AbstractEasy associations with wireless access points (APs) give users temporal and quick access to the Internet. It needs only a few seconds to take their machines to hotspots and do a little configuration in order to have Internet access. However, this portability becomes a double-edged sword for ignorant network users. Network protocol analyzers are typically developed for network performance analysis. Nonetheless, they can also be used to reveal user’s privacy by classifying network traffic. Some characteristics in IEEE 802.11 traffic particularly help identify users. Like actual human fingerprints, there are also unique traffic characteristics for each network user. They are called network user fingerprints, by tracking which more than half of network users can be connected to their traffic even with medium access control (MAC) layer pseudonyms. On the other hand, the concept of network user fingerprint is likely to be a powerful tool for intrusion detection and computer/digital forensics. As with actual criminal investigations, comparison of sampling data to training data may increase confidence in criminal specification. This article focuses on a survey on a user fingerprinting technique of IEEE 802.11 wireless LAN traffic. We also summarize some of the researches on IEEE 802.11 network characteristic analysis to figure out rogue APs and MAC protocol misbehaviors

Traffic characteristics mechanism for detecting rogue access point in local area network

Rogue Access Point (RAP) is a network vulnerability involving illicit usage of wireless access point in a network environment. The existence of RAP can be identified using network traffic inspection. The purpose of this thesis is to present a study on the use of local area network (LAN) traffic characterisation for typifying wired and wireless network traffic through examination of packet exchange between sender and receiver by using inbound packet capturing with time stamping to indicate the existence of a RAP. The research is based on the analysis of synchronisation response (SYN/ACK), close connection respond (FIN/ACK), push respond (PSH/ACK), and data send (PAYLOAD) of the provider’s flags which are paired with their respective receiver acknowledgment (ACK). The timestamp of each pair is grouped using the Equal Group technique, which produced group means. These means were then categorised into three zones to form zone means. Subsequently, the zone means were used to generate a global mean that served as a threshold value for identifying RAP. A network testbed was developed from which real network traffic was captured and analysed. A mechanism to typify wired and wireless LAN traffic using the analysis of the global mean used in the RAP detection process has been proposed. The research calculated RAP detection threshold value of 0.002 ms for the wired IEEE 802.3 LAN, while wireless IEEE 802.11g is 0.014 ms and IEEE 802.11n is 0.033 ms respectively. This study has contributed a new mechanism for detecting a RAP through traffic characterisation by examining packet communication in the LAN environment. The detection of RAP is crucial in the effort to reduce vulnerability and to ensure integrity of data exchange in LA

On fast and accurate detection of unauthorized wireless access points using clock skews

Journal ArticleWe explore the use of clock skew of a wireless local area network access point (AP) as its fingerprint to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing solutions-the inability to effectively detect Medium Access Control (MAC) address spoofing. We calculate the clock skew of an AP from the IEEE 802.11 Time Synchronization Function (TSF) time stamps sent out in the beacon/probe response frames. We use two different methods for this purpose-one based on linear programming and the other based on least-square fit. We supplement these methods with a heuristic for differentiating original packets from those sent by the fake APs. We collect TSF time stamp data from several APs in three different residential settings. Using our measurement data as well as data obtained from a large conference setting, we find that clock skews remain consistent over time for the same AP but vary significantly across APs. Furthermore, we improve the resolution of received time stamp of the frames and show that with this enhancement, our methodology can find clock skews very quickly, using 50-100 packets in most of the cases. We also discuss and quantify the impact of various external factors including temperature variation, virtualization, clock source selection, and NTP synchronization on clock skews. Our results indicate that the use of clock skews appears to be an efficient and robust method for detecting fake APs in wireless local area networks

Model-based provisioning and management of adaptive distributed communication in mobile cooperative systems

Adaptation of communication is required to maintain the reliable connection and to ensure the minimum quality in collaborative activities. Within the framework of wireless environment, how can host entities be handled in the event of a sudden unexpected change in communication and reliable sources? This challenging issue is addressed in the context of Emergency rescue system carried out by mobile devices and robots during calamities or disaster. For this kind of scenario, this book proposes an adaptive middleware to support reconfigurable, reliable group communications. Here, the system structure has been viewed at two different states, a control center with high processing power and uninterrupted energy level is responsible for global task and entities like autonomous robots and firemen owning smart devices act locally in the mission. Adaptation at control center is handled by semantic modeling whereas at local entities, it is managed by a software module called communication agent (CA). Modeling follows the well-known SWRL instructions which establish the degree of importance of each communication link or component. Providing generic and scalable solutions for automated self-configuration is driven by rule-based reconfiguration policies. To perform dynamically in changing environment, a trigger mechanism should force this model to take an adaptive action in order to accomplish a certain task, for example, the group chosen in the beginning of a mission need not be the same one during the whole mission. Local entity adaptive mechanisms are handled by CA that manages internal service APIs to configure, set up, and monitors communication services and manages the internal resources to satisfy telecom service requirements

IEEE 802.11 i Security and Vulnerabilities

Despite using a variety of comprehensive preventive security measures, the Robust Secure Networks (RSNs) remain vulnerable to a number of attacks. Failure of preventive measures to address all RSN vulnerabilities dictates the need for enhancing the performance of Wireless Intrusion Detection Systems (WIDSs) to detect all attacks on RSNs with less false positive and false negative rates

Towards Secure, Power-Efficient and Location-Aware Mobile Computing

In the post-PC era, mobile devices will replace desktops and become the main personal computer for many people. People rely on mobile devices such as smartphones and tablets for everything in their daily lives. A common requirement for mobile computing is wireless communication. It allows mobile devices to fetch remote resources easily. Unfortunately, the increasing demand of the mobility brings many new wireless management challenges such as security, energy-saving and location-awareness. These challenges have already impeded the advancement of mobile systems. In this dissertation we attempt to discover the guidelines of how to mitigate these problems through three general communication patterns in 802.11 wireless networks. We propose a cross-section of a few interesting and important enhancements to manage wireless connectivity. These enhancements provide useful primitives for the design of next-generation mobile systems in the future.;Specifically, we improve the association mechanism for wireless clients to defend against rogue wireless Access Points (APs) in Wireless LANs (WLANs) and vehicular networks. Real-world prototype systems confirm that our scheme can achieve high accuracy to detect even sophisticated rogue APs under various network conditions. We also develop a power-efficient system to reduce the energy consumption for mobile devices working as software-defined APs. Experimental results show that our system allows the Wi-Fi interface to sleep for up to 88% of the total time in several different applications and reduce the system energy by up to 33%. We achieve this while retaining comparable user experiences. Finally, we design a fine-grained scalable group localization algorithm to enable location-aware wireless communication. Our prototype implemented on commercial smartphones proves that our algorithm can quickly locate a group of mobile devices with centimeter-level accuracy