www.ajcse.

info

Asian Journal of Computer Science Engineering 2017; 2(3):11-16

RESEARCH ARTICLE

Wireless Network Security Software

1
Ameya Kisan Mohape*, 2Vinit Shankar Bhoye, 3Archana Ganesh Mhatre, 4Prof. Smita Bhoir,
5
Prof. Prashant Lokhande

Computer Science Department, RAIT, Nerul, India

Received on: 17/02/2017, Revised on: 25/03/2017, Accepted on: 20/05/2017

ABSTRACT
Wireless networks are more vulnerable than wired networks due to omnidirectional nature of
electromagnetic radiation and no physical connection. Some of these networks are secured using
cryptographically broken Wired Equivalent Privacy (WEP) while most are based on the newer Wi-Fi
Protected Access (WPA/WPA2) encryption which is still vulnerable to a certain degree. Security of a Wi-
Fi Access Point (AP) may be compromised due to user’s lack of technical knowledge, inbuilt flaws or an
intentional attack. We have developed an application called Wireless Network Security Software –
software with the capability to detect AP vulnerabilities and suggest prevention mechanism to increase
security. The software detects AP vulnerabilities by performing attacks such as Man in the Middle
(MITM), Denial of Service (DOS), MAC (Medium Access Control) address spoofing and DNS (Domain
Name System) spoofing. It also automatically captures 4-way handshake and tries to crack the AP
password using dictionary and custom wordlist attack. Prevention techniques are recommended based on
the results of performed attacks on AP.

Keywords—WPA, WPA2, aircrack-ng , cowpatty, eviltwin, handshake, spoofing, DOS.

INTRODUCTION respect to entropy.
Wireless Networks are more vulnerable than 1. WPA
wired networks. This is because in wired networks WPA was developed in 2003 and provides
nature of data transmission can be unicast, better security than WEP. It has a wide
multicast or broadcast depending on the range of target users: WPA-Personal for
requirement. However, in wireless networks data personal use, WPA-Enterprise with
is transmitted using radio waves that can be additional security for commercial
captured by anyone using a proper receiver and networks and Wi-Fi Protected Setup
software. Hence, data is broadcast while (WPS) for simple key distribution. WPA is
tranmission no matter what kind of delivery it vulnerable to dictionary and brute force
corresponds to. This application analyses the attacks.
captured data, tests the network for vulnerablilites 2. WPA2
and recommends prevention techniques for the WPA2 and WPA have a lot in common.
listed attacks. Firstly, WPA2 is an improvement over
The various attacks are as follows: WPA in which it uses Advanced
 MITM Encryption Standard (AES) based
 DNS spoofing encryption for stronger security. WPA2 is
 DOS also vulnerable to dictionary and brute
 MAC spoofing force attack however this might take a lot
The application is useful in performing of time.
penetration testing and network security analysis
on home, work or public networks that are setup RESEARCH PAPER SURVEY
in infrastructure mode. It detects vulnerabilities
and flaws in Access Point setup and recommends 1) An Experimental Study Analysis of Security
prevention techniques to avoid possible attacks. It Attacks at IEEE 802.11 WLAN [1]
also checks the network password strength with In this paper, we have worked an experimental

*Corresponding Author: Ameya Kisan Mohape, Email: mohapeameya@gmail.com

 Mahape Ameya et al.\ Wireless Network Security Software
analysis to study some of the well-known attacks could be exploited. The user might not configure
pertaining to IEEE 802.11 WLAN. IEEE 802.11 the system at all as many latest systems can be
wireless networks have become one of the most used without any configuration and work out-of-
widely used networks. Due to open nature of the-box. This creates vulnerabilities that have
wireless medium, hackers and intruders can make potential for attacks such as MITM, DOS, MAC
utilization of the loopholes of the wireless spoofing, and DNS spoofing. Also router
communication; as a result, there are many firmware might have vulnerabilities or in-built
security threats associated with Wireless Local flaws that can be used by an intruder to attack the
Area Network (WLAN). system. An application is described to detect these
vulnerabilities and to prevent attacks that exploit
2) A comparative analysis of wireless security them.
protocols (wep and wpa2) [2]
This paper is a comparative analysis of WEP, TOOLS NEEDED TO SCAN WPA/WPA2 NETWORK
WPA and WPA2. We have tried to perform and  Kali Linux operating system
check authentication of all 3 protocols by  Wireless Access Point with WPA/WPA2
implying the legendary attack vector scripts i.e. security
AJCSE, May-June, 2017, Vol. 2, Issue 3

Air crack set of tools. The test was conducted on  Wireless network card capable of monitor
Back Track operating system which is considered mode and packet injection with Atheros
as dedicated penetration testing operating system. chipset (TP-LINK TL-WN722N 150Mbps
In the test result, we found out that WEP is the High-Gain)
weakest, to which WPA was a temporary solution
and WPA2 is a very solid and long term solution. IMPLEMENTATION

Present system includes network testing tools such Handshake Capture

as NetStumbler that offer only a few The 4-way handshake[1]used to crack the
functionalities and are outdated. Another solutions password contains the hash of the WPA/WPA2
are firewalls and antivirus systems. These are real password and is calculated using network name as
time application. These do not provide prevention salt value.
mechanisms to avoid the attack in the first place.
Also antivirus is a heavy application and most of
them don’t support Unix and Linux systems.
These systems lack functionalities such as
penetration testing and vulnerability analysis. Fig. 1: WPA Handshake hash calculation.

Drawbacks of current systems: Step 1: Use “airmon-ng start wlan0” where

 Only real time attack detection, “airmon-ng” [2] is a program to put interface in
 No attack prevention mechanisms, monitor mode and “wlan0’ is the name of the
 Don’t support Unix and Linux systems, wireless interface.
 Lack vulnerability analysis. Step 2: Capture packets in monitor mode. Use
“airodump-ng wlan0mon” to capture packets
PROBLEM STATEMENT where “airodump-ng” [2] is a program to capture
Now-a-days the need for Wi-Fi access points has wireless packets and “wlan0mon” is interface
increased greatly. Routers come with name. Wait for some time to get a list of access
preconfigured settings that need little to no points. Use Ctrl+C to stop packet capture.
understanding of the system. These systems come Step 3: Search for the target network name under
with default settings and can be vulnerable to a Extended Service Set Identification (ESSID)
number of attacks. These attacks include password column. Note down ESSID, Basic Service Set
bruteforcing, default password guessing, no or Identification (BSSID) and channel number of the
poor security protocol, encryption protocol network.
exploitations, etc. which makes these Step 4: Monitor and capture packets going through
vulnerabilities dangerous. Sometimes, the user the target network. Use “airodump-ng –channel X
might lack knowledge regarding the working of –bssid XX:XX:XX:XX:XX:XX –w nname” where
the system. The user might configure the system “X” is the channel number,
incorrectly leaving behind vulnerabilities that “XX:XX:XX:XX:XX:XX” is the BSSID or
12
© 2015, AJCSE. All Rights Reserved.
 Mahape Ameya et al.\ Wireless Network Security Software
Medium Access Control (MAC) address of target create the password. Entropy of a password of
network and “nname” is the name or ESSID of the length L is calculated using the formula:
network. E = L.Log2∑ (size of character CSi set used)
Step 5: De-authenticate all clients and force them Where CSi is the ith character set.
to reconnect to the target access point. 4-way E.g. 1. For password “JohnAnderson@123” :
handshake can be captured by “airodump-ng” [2] Entropy E = 16.log2(26+26+10+33) =
during this process. Use “aireplay-ng -0 10 –a XX: 105.12 bits
XX: XX: XX: XX: XX wlan0mon” in another E.g. 2. For password “Password123” :
terminal to de-authenticate clients. Program Entropy E = 11.log2(26+26+10) = 65.5 bits
“aireplay-ng” [2] is used to send de-authentication Therefore password “JohnAnderson@123”
frames. Successful handshake capture will be is cryptographically stronger than
shown at the top-right corner of “airodump-ng” [2] “Password123”.
window.
AJCSE, May-June, 2017, Vol. 2, Issue 3

Step 6: Crack the password using Aircrack-ng [2] Such a network has weak security and can be
and a password list. Use “aircrack-ng –w secured by using a strong passphrase. Passphrase
/path/to/password_file.lst –b XX: XX: XX: XX: must not be a common language word. It must be a
XX: XX /path/to/capture file/nname-01.cap” random combination of alphabets, numbers and
special symbols which makes it hard to guess.
Available wordlists won’t contain such random
password.
The table below shows the password strength in
terms of entropy and its grade with respect to
security.

Password Entropy (in bits) Password Grade

<40 Very Weak
>40 and <60 Weak
>60 and <80 Reasonable
>80 and <120 Strong
>120 and <150 Very Strong
Fig. 2: Cracking password using Aircrack-ng. >150 Overkill
Table 1: Password Grades based on Entropy.
Aircrack-ng [2] goes through the password list and
compares its hash with one in 4-way handshake. If Evil Twin
found, the password would be shown besides Attack uses Man in the Middle (MITM) and
“KEY FOUND”. We can speedup this attack by Domain Name Server (DNS) spoofing attacks
calculating in advance the hash of network name along with social engineering.
and passwords using Cow patty [3].
Observed cracking speed using Aircrack-ng: 862 Step 1: Extract details of target network such as
keys/sec. Observed cracking speed using Cow ESSID, BSSID and channel number using
patty using pre-calculated hash: 184623 keys/sec. methodology similar to Handshake Capture.
This shows an approximately 214 times increase in Step 2: Setup fake access point using “airbase-ng
cracking speed. –essid nname –channel X wlan0mon” where
“airbase-ng” [2] is a program used to setup access
point, “nname” is ESSID or name of the network,
“X” is the channel number and “wlan0mon” is the
name of the interface in monitor mode.
Step 3: Airbase-ng [2] creates interface “at0” by
default. Give subnet and Internet Protocol (IP)
address to this interface.
“ifconfig at0 10.0.0.1 netmask 255.255.255.0”,
“route add -net 10.0.0.0 netmask 255.255.255.0
gw 10.0.0.1”, where “10.0.0.1” is the IP address
Fig. 3: Cracking password using Cowpatty using pre-calculated of “at0”, “255.255.255.0” is the network mask,
hash. “10.0.0.0” is the network address and “gw” is the
Password strength or Entropy of a password gateway.
depends on the length and character set used to Step 4: Give firewall rules
13
© 2015, AJCSE. All Rights Reserved.
 Mahape Ameya et al.\ Wireless Network Security Software
“iptables -t nat -A PREROUTING -j DNAT --to-
destination 10.0.0.1”
“iptables -t nat -A POSTROUTING -j
MASQUERADE”
where “iptables” [4] is used to set firewall rules
Step 5: Enable IP forwarding
Use “echo 1 > /proc/sys/net/ipv4/ip_forward”
Step 6: Configure Dynamic Host Configuration
Protocol (DHCP) server for subnet 10.0.0.0, Fig. 5: Successful Eviltwin attack.
netmask 255.255.255.0 and DNS server IP
10.0.0.1 along with IP pool. If handshake of target network is available then it
Step 7: Setup appropriate fake webpage in is also possible to verify harvested password in
directory /var/www/html to resemble target router real time using the Aircrack-ng [1] suite. This
administrator page. attack thus exploits client’s lack of knowledge
Step 8: Setup mysql database to store harvested about the wireless system through MITM and
AJCSE, May-June, 2017, Vol. 2, Issue 3

password through fake webpage. DNS spoofing attacks. Such attack can be avoided
Step 9: Start services by educating user about social engineering,
Use “/etc/init.d/mysql start” to start MYSQL [5] phishing and security issues of open Wi-Fi.
server.
Use “/etc/init.d/apache2 start” to start Apache [6] MAC Spoofing
web server. Access points might have filtered MAC addresses.
Use “service isc-dhcp-server start” to start DHCP MAC spoofing attack uses MAC address of
[7]
server. authentic users to gain access to networks with
Step 10: Start fake DNS server using “dnschef – such increased security.
fakeip=10.0.0.1 –i 10.0.0.1 -q” where “dnschef”
[8]
is used to setup fake DNS server. Step 1: Extract details of target network such as
Step 11: De-authenticate all users using “aireplay- ESSID, BSSID, channel number and target client
ng –c X –a XX:XX:XX:XX:XX:XX wlan0mon” MAC address using methodology similar to
where “X” is the channel number and Handshake Capture.
“XX:XX:XX:XX:XX:XX” is the ESSID of target Step 2: Use following commands to spoof MAC
network. address:
Step 12: If a targeted client connects to the fake “ifconfig wlan0 down”
access point it would get a socially engineered “macchanger –m XX:XX:XX:XX:XX:XX wlan0”
webpage asking for WPA password to upgrade “ifconfig wlan0 up”
router firmware. where “macchanger” [9] program is used to spoof
MAC address and “XX:XX:XX:XX:XX:XX” is
target client MAC address.
Step 3: Create wpa_supplicant [10] file for
connecting to the target network manually. Use
“wpa_passphrase ESSID Password
/path/to/wpa_file.conf” where “ESSID” is the
network name, “wpa_passphrase” [11] is used to
generate wpa_supplicant configuration file and
“Password” is the known network password.
Step 4: Try to connect to the target network
manually. Use “wpa_supplicant –D wext –i wlan0
–c /path/to/wpa_file.conf” where “wext” is the
wireless driver.
Step 5: Run DHCP client program to get IP for
Fig. 4: Fake socially engineered webpage.
the connected interface. Use “dhclient wlan0”
where “dhclient” [12] is used to configure client IP
If the client enters the password, it is stored in
address.
database on attacker’s machine and client is
redirected to a fake firmware upgrading page.

14
© 2015, AJCSE. All Rights Reserved.
 Mahape Ameya et al.\ Wireless Network Security Software
similar to Handshake Capture using “airmon-ng”.
Collect MAC address of clients connected to
target network from packet capture file.
Use “readarray -t value < <(grep -i -e
XX:XX:XX:XX:XX:XX /path/to/capture_file-
01.cap | cut -b -17)” where
“XX:XX:XX:XX:XX:XX” is the target ESSID.
Step 2: Continuously unicast and broadcast de-
authentication frames for all clients.
Use “aireplay-ng –c X –a
XX:XX:XX:XX:XX:XX wlan0mon” to broadcast
de-authentication frames where “X” is the channel
number and “XX:XX:XX:XX:XX:XX” is the
Fig. 6: Target client connection details. ESSID of target network.
Use “aireplay-ng –c X –a
If successful, wireless interface “wlan0” will get XX:XX:XX:XX:XX:XX –c
an IP address same as the target client. Using YY:YY:YY:YY:YY:YY wlan0mon” to unicast
AJCSE, May-June, 2017, Vol. 2, Issue 3

“ifconfig” we can see the IP address. de-authentication frames where

“YY:YY:YY:YY:YY:YY” is the client of target
network.

Fig. 7: Stolen IP address based on MAC.

If target client is continuously transmitting or

receiving data then frame collision takes place due
to IP conflict slowing down the attack
considerably.
Fig. 9: Result of DOS attack on client device.

Wireless DOS attack can be stopped only by

physically locating attacker and taking the
attacker machine offline because the de-
authentication frames used for DOS are part of
IEEE 802.11i standard.

RESULT
Fig. 8: Connection status during IP conflict. WPA/WPA2 provides nominal security when used
as WPA-Personal. Network security depends
However, neither client nor attacker can get entirely on the password strength and user’s
proper connection. But if target client is not knowledge about the wireless system.
transmitting or receiving any data then attacker’s
machine gets continuous access to the network. Handshake Capture
This attack can be slowed down by continuously Captured handshake can be used to crack network
checking connection with the AP. password only if the password is weak. If
password is a random combination of ASCII
Wireless Denial of Service (DOS) characters then it is highly unlikely that it would
Wireless DOS attack uses de-authentication be present in any precompiled wordlists. This can
frames to continuously disconnect all clients prevent dictionary attacks. Also using passwords
connected to target network. of length greater than 10 characters makes brute
force attacks impossible as number of possible
Step 1: Capture packets using monitor mode
15
© 2015, AJCSE. All Rights Reserved.
 Mahape Ameya et al.\ Wireless Network Security Software
passwords increase exponentially with password focuses on social engineering a fake webpage to
length. get Wi-Fi credentials. This attack can be avoided
by educating users about phishing, social
Evil Twin engineering and security risks of open Wi-Fi.
Evil Twin attack tricks target client into entering MAC Spoofing disconnects legitimate user and
network WPA password using socially engineered spoofs its MAC to get its IP from access point.
webpage. This attack works due to user’s lack of This attack can be slowed down by continuously
knowledge about the wireless system. It can be checking network connection and connecting to
avoided by educating users about phishing and the network but cannot be avoided. Wi-Fi DOS
social engineering and also about security issues attack de-authenticates all connected clients with
of open Wi-Fi. unicast and broadcast frames. This attack can be
stopped by locating attacker physically and
MAC Spoofing stopping the attack.
In MAC Spoofing client’s MAC address is
AJCSE, May-June, 2017, Vol. 2, Issue 3

spoofed to get his IP address associated with REFERENCES

attacker’s machine. MAC spoofing is difficult to
detect and avoid as it might require custom 1. https://en.wikipedia.org/wiki/IEEE_802.11
firmware on access points. i-2004
2. https://www.aircrack-ng.org
Wireless DOS 3. http://tools.kali.org/wireless-
Wireless DOS de-authenticates all users attacks/cowpatty
connected to target network. IEEE 802.11 offers 4. http://ipset.netfilter.org/iptables.man.html
no specific protection against DOS attack on Wi- 5. https://dev.mysql.com
Fi access points. The only way to stop this attack 6. http://httpd.apache.org/docs
is to locate attacker in vicinity and stop it. 7. https://linuxconfig.org/what-is-dhcp-and-
how-to-configure-dhcp-server-in-linux
CONCLUSION 8. http://tools.kali.org/sniffingspoofing/dnsch
In this paper, we have shown some potential ef
attacks on Wi-Fi networks and possible solutions 9. https://linuxconfig.org/change-mac-
for some of them. The principle idea is to expose address-with-macchanger-linux-command
the vulnerabilities of insecure networks and try to 10. https://w1.fi/wpa_supplicant
secure the flaws. We have seen four types of 11. https://linux.die.net/man/8/wpa_passphras
attacks. Handshake capture attack exploits weak e
passphrase of a network. This can be stopped by 12. https://linux.die.net/man/8/dhclient
using strong random password. Evil Twin attack

16
© 2015, AJCSE. All Rights Reserved.