Wireless local area network security enhancement through penetration testing

Đăng ngày 4/2/2019 3:57:58 PM | Thể loại: | Lần tải: 0 | Lần xem: 2 | Page: 16 | FileSize: 1.65 M | File type: PDF
Wireless local area network security enhancement through penetration testing. This paper presents a security solution for WLANs to achieve the standard network security requirements while combines the stability and low cost. The proposed solution works in two levels, namely, the frame security and the Radio Frequency (RF) security.
International Journal of Computer Networks and Communications Security
VOL. 4, NO. 4, APRIL 2016, 114129
Available online at: www.ijcncs.org
E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print)
Wireless Local Area Network Security Enhancement through
Penetration Testing
Tarek Mohamed Refaat1, Tarik Kamal Abdelhamid2, Abdel-Fattah Mahmoud Mohamed3
1 Msc. Student at Assiut University, Assiut, Egypt
2, 3 Department of Electrical Eng., Faculty of Engineering, Assiut University, Assiut, Egypt
E-mail: 1tarekrefaat87@yahoo.com, 2tarik_k@aun.edu.eg, 3afm@aun.edu.eg
ABSTRACT
Wireless Local Area Networks (WLANs) have become very popular due to their high data rates, cost
effectiveness, flexibility and ease of use. On the other hand, they are facing major security threats due to the
broadcast nature of the wireless media. WLANs with infrastructure mode are deployed as an extension to
wired LANs, so it is necessary to be secured to avoid being a back door to the wired network. This paper
presents a security solution for WLANs to achieve the standard network security requirements while
combines the stability and low cost. The proposed solution works in two levels, namely, the frame security
and the Radio Frequency (RF) security. It differs from the other solutions because it works in the two
WLAN security levels. WPA/WPA2 encryption, AES, and strong 802.1x authentication are integrated into
the solution to provide a high level of security. This paper has been done with real hardware in a lab
environment. Finally, the strength of the proposed solution is examined with different penetration tests.
Keywords: Wireless Security, WEP, WPA, WPA2, 802.1x, WIDS, Linux system.
1
INTRODUCTION
The frame security level is concerned about how
to transmit packets through the air securely. This
WLANs
are
considered
of
the
most
popular
achieved by using a strong encryption and a strong
networks technologies today. Both individuals and
authentication. The RF security level is concerned
large
companies
are
using
them
due
to
their
about monitoring and scanning the air for detecting
advantages. WLANs popularity came from their
the illegal hotspots and the rogue access points.
advantages
such
as
flexibility,
mobility,
easy
There are three wireless security mechanisms for
installation and low cost relative to wired networks
achieving these standard security requirements [4]:
[1]. Despite all these advantages, there is a major
problem that related to its security. While the data
transmitted over wireless media can be accessed
anywhere with minimal infrastructure cost, the
violation of the wireless LANs security is
1)Strong encryption is used to provide strong
confidentiality and integrity for data.
2)Checksum/hash algorithms are used to provide
integrity protection and authentication.
automatically being harmful to wired LAN. Once
the data is transmitted over the wireless media, then
there is a chance of security attack [2].
Any network security solution has six standard
security requirements, namely Confidentiality,
Integrity, Availability, Authentication, Access
control, and Non-repudiation [3]. WLAN security
is a compound process because it depends on air as
a physical layer. The Standard security
requirements in WLANs have achieved on two
levels, frame security level, and RF security level.
3)Strong authentication is used for strong access
control and non-repudiation.
Our main goal is to achieve a more secure and
reliable WLAN. There are many security solutions
such as WEP, WPA, WPA2 and WPA2 with
different 802.1x RADIUS servers. Each security
solution has to provide the standard security
requirements to make a secure WLAN. Most of the
studies [5&6&7] in the WLAN security have been
done at one level, the frame level or the RF level.
115
T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016
This paper presents a security solution that differs
2.2.1 WEP
from the other solutions in the studies [5&6&7] by
working in the two WLAN security levels, the
frame level, and the RF level. In this solution, the
above standard security requirements will be
achieved by achieving the two security levels. In
section 2, a review of the WLAN standard modes is
presented and. a discussion of each WLAN security
protocol is explained. It offers each protocol
vulnerabilities and attacks on it. In section 3 the
WLAN attacks are classified on the two WLAN
security levels. In section 4 the proposed WLAN
security solution is explained. It depends on three
critical areas (Data confidentiality and Integrity),
WEP is the first security technique used in IEEE
802.11 standards and it provides security level for
the WLANs equals to the wired LAN. WEP helps
to make the communication secure and provides
secret authentication scheme between the AP and
the end user. WEP is implemented on initial Wi-Fi
networks where the user can not access the network
without the correct key [9]. WEP uses the shared
key authentication method in which the user needs
two things to access the WLANs, the service set
identifier (SSID) and the WEP key generated by the
AP.
(Authentication and Access control) and (Intrusion
Detection and Prevention). In section 5.1, a
penetration experiment test on each WLAN
security protocol (WEP, WPA, and WPA2) is
performed, also, the proposed solution is tested
after building it. A comparison between the WLAN
security protocols of the frame level (WEP, WPA,
WPA2, Cisco LEAP and the proposed solution) is
set with conclusion points. In section 5.2, WIDS
(Wireless Intrusion Detection System) solutions are
proposed for achieving the RF level security. In
section 6, the conclusion is offered.
Attacks on WEP: WEP is considered a weak
technique for WLANs security since it uses RC4, a
stream cipher that simply performs XOR operation
on the data. The key XOR plaintext gives
ciphertext, so a bit-flipping attack can make
ciphertext XOR and key give the plain text easily.
Another vulnerable aspect for the WEP is the use of
the CRC-32 mechanism used for the integrity
check. Cyclic redundancy code (CRC) is defined as
a class of "checksum" algorithms that treat any
message as a large binary number and then dividing
it in binary without overflow by a fixed constant.
The remainder is called the "checksum". Due to the
2
WLAN BACKGROUND AND RELATED
WORK
nature of CRC that considered being linear, it fails
to provide the required integrity protection. It is
known that CRC is not cryptographically strong
2.1 Modes of Wireless Local Area Networks
WLANs operate in two modes: Ad-hoc mode and
Infrastructure mode. Ad-hoc mode is also known as
point to point and consists of the wireless devices
without the need for any central controller or access
point (AP). In the infrastructure mode, WLANs
infrastructure is expanding a wired network using
wireless APs. AP is considered as a bridge between
the wired and the wireless network and also acts as
a central control unit in a wireless network for all
wireless clients. The AP is responsible for
managing the transmission and reception of
wireless equipment within limited boundaries of the
and not intended to be used in place of the message
digest or hash functions. It uses the 24-bit long
initialization vector (IV) that is clear text added to
the packet, and then it is ready to be transmitted
through the air where it can be exposed to an FMS
attack. WEP suffers from a lack of mutual
authentication and key management due to the
small size of IV (24 bit), the weak authentication
algorithm and the weak data encapsulation method.
This paper will perform a penetration test that
proves WEP has failed as a wireless security
protocol due to its lack of integrity and
confidentiality of data [10].
network. A network administrator can use APs
from different vendors to increase the size of the
network [8]. This paper considers the security in the
infrastructure mode.
2.2.2 Wi-Fi Protected Access (WPA)/ Temporal
Key Integrity Protocol (TKIP)
There is a need to develop a new solution for
WLANs security that provides more security than
2.2 Existing WLAN security solutions
There are different security solutions for the
IEEE 802.11 standard like Wired Equivalent
Protocol (WEP), WPA, WPA2, and WPA2 using
802.1x servers. We explain the detail of each
solution in the following:
WEP. TKIP is designed on top of WEP to fix all its
known weaknesses. To increase the key ability of
WEP, TKIP includes four additional algorithms
[11]:
1. A cryptographic message integrity check that
called Michael Integrity Code (MIC) to protect
packets against bit-flipping attacks.
116
T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016
2.
An IV sequencing mechanism that includes
4.
Mixing columns: a
mixing operation which
hashing,
as
opposed
to
WEP
plain
text
operates
on
the
columns
of
the
state,
transmission.
combining the four bytes in each column.
3.
A per-packet key mixing function to increase
5.
Add round key.
cryptographic strength
6.
At final round doesn't perform a mix column
4.
A
re-keying
mechanism
to
provide
key
operation.
generation every 10,000 packets.
WPA2
protocol
with
AES
encryption,
which
TKIP encryption algorithm is used to avoid the
performs many rounds to complex the key, is better
problem
that
may
exist
in
WEP
technique
by
than WEP that uses RC4 linear expected relation.
generating a separate key for each packet instead of
WPA2 protocol with AES encryption also differs
only one key for all packets in WEP.TKIP also
from WPA/TKIP that uses RC4 and is considered
solves
the
drawback
that
may
exist
in
IVs
by
as an extension of WEP with some improvements,
increasing the size of IV which will help to solve
but the encryption of TKIP is still weak as WEP.
the problems by using a longer packet counter to
AES encryption was implementing in MATLAB
avoid the replay protection. By doing all this, TKIP
[15].
is able to solve the problems available in WEP to
some extent [12].
Attacks on WPA and WPA2:
2.2.3 WPA2 / Advanced Encryption Standard
(AES):
Dictionary attacks and WPA handshake capture
are the most popular attacks on WPA and WPA2
protocols. The attacker can simply wait for a
AES is created by the American Institute of
National Standards and Technology (NIST) in 2001
and it is considered as the best specification for data
encryption. It based on Rijndael's cipher, which is
developed by two cryptographers, Joan Daemon,
and Vincent Rijmen, who submitted the proposal
which evaluated by NIST during the selection
process AES. WPA2 structure is different from
WPA and WEP because the ingredients single key
management and message integrity, CCMP, based
on AES [13].
handshake to occur or active force by one using a
deauthentication attack on a target victim PC. Once
the four-way handshake is captured, the attacker
uses a dictionary file that has a large number of
possible PSKs together with the Aircrack-ng suite.
Also, some administrators use Wi-Fi protected
setup (WPS) to connect users to access point, but it
can be hacked and attacked by the Reaver tool
(brute force attack). U.S-CERT warns of using
WPS to add a new host (Vulnerability Note
VU#723755). U.S-CERT said that: "The Wi-Fi
Protected Setup (WPS) PIN is susceptible to a brute
The purposes of AES (CCMP) encryption are:
force attack” [16].
1.
Counter mode is used for providing
protection from unauthorized access.
data
2.2.4 WPA2 using 802.1x servers
2.
CBC-MAC is used to provide the
integrity to the network.
message
Many companies recommend using WPA2 using
802.1x security protocol to overcome the dictionary
and WPA handshake capture attacks on
AES is the strongest wireless encryption that
depends on Rijndael's key schedule, it passed on
many key scheduling steps [14]
1. Initial round: add round key where each byte of
the state is combined with the round key using
bitwise XOR.
WPA/WPA2 protocols. This protocol combines the
WPA2, which depends on AES encryption, with
any strong authentication server. Many of these
protocols enhance EAP authentication with stronger
protocols such as LEAP (Lightweight EAP), EAP-
FAST, EAP-TLS (Transport Layer Security) or
EAP-PEAP (Protected EAP), to mitigate the
2.
Sub bytes: a non-linear substitution step where
dictionary attack [17].
each byte is replaced with another according to
a lookup table.
3
ATTACKS ON WLAN SECURITY
3.
Shift rows: a transposition step where each row
of the state is shifted cyclically a certain
number of steps.
This section, we classify all WLAN attacks that
target to breach one or more of the six standard
security requirements on the two levels the frame
level and the RF level. There are many attacks on
HƯỚNG DẪN DOWNLOAD TÀI LIỆU

Bước 1:Tại trang tài liệu slideshare.vn bạn muốn tải, click vào nút Download màu xanh lá cây ở phía trên.
Bước 2: Tại liên kết tải về, bạn chọn liên kết để tải File về máy tính. Tại đây sẽ có lựa chọn tải File được lưu trên slideshare.vn
Bước 3: Một thông báo xuất hiện ở phía cuối trình duyệt, hỏi bạn muốn lưu . - Nếu click vào Save, file sẽ được lưu về máy (Quá trình tải file nhanh hay chậm phụ thuộc vào đường truyền internet, dung lượng file bạn muốn tải)
Có nhiều phần mềm hỗ trợ việc download file về máy tính với tốc độ tải file nhanh như: Internet Download Manager (IDM), Free Download Manager, ... Tùy vào sở thích của từng người mà người dùng chọn lựa phần mềm hỗ trợ download cho máy tính của mình  
2 lần xem

Wireless local area network security enhancement through penetration testing. This paper presents a security solution for WLANs to achieve the standard network security requirements while combines the stability and low cost. The proposed solution works in two levels, namely, the frame security and the Radio Frequency (RF) security..

Nội dung

International Journal of Computer Networks and Communications Security VOL. 4, NO. 4, APRIL 2016, 114–129 Available online at: www.ijcncs.org E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print) Wireless Local Area Network Security Enhancement through Penetration Testing Tarek Mohamed Refaat1, Tarik Kamal Abdelhamid2, Abdel-Fattah Mahmoud Mohamed3 1 Msc. Student at Assiut University, Assiut, Egypt 2, 3 Department of Electrical Eng., Faculty of Engineering, Assiut University, Assiut, Egypt E-mail: 1tarekrefaat87@yahoo.com, 2tarik_k@aun.edu.eg, 3afm@aun.edu.eg ABSTRACT Wireless Local Area Networks (WLANs) have become very popular due to their high data rates, cost effectiveness, flexibility and ease of use. On the other hand, they are facing major security threats due to the broadcast nature of the wireless media. WLANs with infrastructure mode are deployed as an extension to wired LANs, so it is necessary to be secured to avoid being a back door to the wired network. This paper presents a security solution for WLANs to achieve the standard network security requirements while combines the stability and low cost. The proposed solution works in two levels, namely, the frame security and the Radio Frequency (RF) security. It differs from the other solutions because it works in the two WLAN security levels. WPA/WPA2 encryption, AES, and strong 802.1x authentication are integrated into the solution to provide a high level of security. This paper has been done with real hardware in a lab environment. Finally, the strength of the proposed solution is examined with different penetration tests. Keywords: Wireless Security, WEP, WPA, WPA2, 802.1x, WIDS, Linux system. 1 INTRODUCTION WLANs are considered of the most popular networks technologies today. Both individuals and large companies are using them due to their advantages. WLANs popularity came from their advantages such as flexibility, mobility, easy installation and low cost relative to wired networks [1]. Despite all these advantages, there is a major problem that related to its security. While the data transmitted over wireless media can be accessed anywhere with minimal infrastructure cost, the violation of the wireless LANs security is automatically being harmful to wired LAN. Once the data is transmitted over the wireless media, then there is a chance of security attack [2]. Any network security solution has six standard security requirements, namely Confidentiality, Integrity, Availability, Authentication, Access control, and Non-repudiation [3]. WLAN security is a compound process because it depends on air as a physical layer. The Standard security requirements in WLANs have achieved on two levels, frame security level, and RF security level. The frame security level is concerned about how to transmit packets through the air securely. This achieved by using a strong encryption and a strong authentication. The RF security level is concerned about monitoring and scanning the air for detecting the illegal hotspots and the rogue access points. There are three wireless security mechanisms for achieving these standard security requirements [4]: 1)Strong encryption is used to provide strong confidentiality and integrity for data. 2)Checksum/hash algorithms are used to provide integrity protection and authentication. 3)Strong authentication is used for strong access control and non-repudiation. Our main goal is to achieve a more secure and reliable WLAN. There are many security solutions such as WEP, WPA, WPA2 and WPA2 with different 802.1x RADIUS servers. Each security solution has to provide the standard security requirements to make a secure WLAN. Most of the studies [5&6&7] in the WLAN security have been done at one level, the frame level or the RF level. 115 T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016 This paper presents a security solution that differs from the other solutions in the studies [5&6&7] by working in the two WLAN security levels, the frame level, and the RF level. In this solution, the above standard security requirements will be achieved by achieving the two security levels. In section 2, a review of the WLAN standard modes is presented and. a discussion of each WLAN security protocol is explained. It offers each protocol vulnerabilities and attacks on it. In section 3 the WLAN attacks are classified on the two WLAN security levels. In section 4 the proposed WLAN security solution is explained. It depends on three critical areas (Data confidentiality and Integrity), (Authentication and Access control) and (Intrusion Detection and Prevention). In section 5.1, a penetration experiment test on each WLAN security protocol (WEP, WPA, and WPA2) is performed, also, the proposed solution is tested after building it. A comparison between the WLAN security protocols of the frame level (WEP, WPA, WPA2, Cisco LEAP and the proposed solution) is set with conclusion points. In section 5.2, WIDS (Wireless Intrusion Detection System) solutions are proposed for achieving the RF level security. In section 6, the conclusion is offered. 2 WLAN BACKGROUND AND RELATED WORK 2.1 Modes of Wireless Local Area Networks WLANs operate in two modes: Ad-hoc mode and Infrastructure mode. Ad-hoc mode is also known as point to point and consists of the wireless devices without the need for any central controller or access point (AP). In the infrastructure mode, WLANs infrastructure is expanding a wired network using wireless APs. AP is considered as a bridge between the wired and the wireless network and also acts as a central control unit in a wireless network for all wireless clients. The AP is responsible for managing the transmission and reception of wireless equipment within limited boundaries of the network. A network administrator can use APs from different vendors to increase the size of the network [8]. This paper considers the security in the infrastructure mode. 2.2 Existing WLAN security solutions There are different security solutions for the IEEE 802.11 standard like Wired Equivalent Protocol (WEP), WPA, WPA2, and WPA2 using 802.1x servers. We explain the detail of each solution in the following: 2.2.1 WEP WEP is the first security technique used in IEEE 802.11 standards and it provides security level for the WLANs equals to the wired LAN. WEP helps to make the communication secure and provides secret authentication scheme between the AP and the end user. WEP is implemented on initial Wi-Fi networks where the user can not access the network without the correct key [9]. WEP uses the shared key authentication method in which the user needs two things to access the WLANs, the service set identifier (SSID) and the WEP key generated by the AP. Attacks on WEP: WEP is considered a weak technique for WLANs security since it uses RC4, a stream cipher that simply performs XOR operation on the data. The key XOR plaintext gives ciphertext, so a bit-flipping attack can make ciphertext XOR and key give the plain text easily. Another vulnerable aspect for the WEP is the use of the CRC-32 mechanism used for the integrity check. Cyclic redundancy code (CRC) is defined as a class of "checksum" algorithms that treat any message as a large binary number and then dividing it in binary without overflow by a fixed constant. The remainder is called the "checksum". Due to the nature of CRC that considered being linear, it fails to provide the required integrity protection. It is known that CRC is not cryptographically strong and not intended to be used in place of the message digest or hash functions. It uses the 24-bit long initialization vector (IV) that is clear text added to the packet, and then it is ready to be transmitted through the air where it can be exposed to an FMS attack. WEP suffers from a lack of mutual authentication and key management due to the small size of IV (24 bit), the weak authentication algorithm and the weak data encapsulation method. This paper will perform a penetration test that proves WEP has failed as a wireless security protocol due to its lack of integrity and confidentiality of data [10]. 2.2.2 Wi-Fi Protected Access (WPA)/ Temporal Key Integrity Protocol (TKIP) There is a need to develop a new solution for WLANs security that provides more security than WEP. TKIP is designed on top of WEP to fix all its known weaknesses. To increase the key ability of WEP, TKIP includes four additional algorithms [11]: 1. A cryptographic message integrity check that called Michael Integrity Code (MIC) to protect packets against bit-flipping attacks. 116 T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016 2. An IV sequencing mechanism that includes hashing, as opposed to WEP plain text transmission. 4. Mixing columns: a mixing operation which operates on the columns of the state, combining the four bytes in each column. 3. A per-packet key mixing function to increase cryptographic strength 4. A re-keying mechanism to provide key generation every 10,000 packets. TKIP encryption algorithm is used to avoid the problem that may exist in WEP technique by generating a separate key for each packet instead of only one key for all packets in WEP.TKIP also solves the drawback that may exist in IVs by increasing the size of IV which will help to solve the problems by using a longer packet counter to avoid the replay protection. By doing all this, TKIP is able to solve the problems available in WEP to some extent [12]. 2.2.3 WPA2 / Advanced Encryption Standard (AES): AES is created by the American Institute of National Standards and Technology (NIST) in 2001 and it is considered as the best specification for data encryption. It based on Rijndael's cipher, which is developed by two cryptographers, Joan Daemon, and Vincent Rijmen, who submitted the proposal which evaluated by NIST during the selection process AES. WPA2 structure is different from WPA and WEP because the ingredients single key management and message integrity, CCMP, based on AES [13]. The purposes of AES (CCMP) encryption are: 1. Counter mode is used for providing data protection from unauthorized access. 2. CBC-MAC is used to provide the message integrity to the network. AES is the strongest wireless encryption that depends on Rijndael's key schedule, it passed on many key scheduling steps [14] 1. Initial round: add round key where each byte of the state is combined with the round key using bitwise XOR. 2. Sub bytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. 5. Add round key. 6. At final round doesn't perform a mix column operation. WPA2 protocol with AES encryption, which performs many rounds to complex the key, is better than WEP that uses RC4 linear expected relation. WPA2 protocol with AES encryption also differs from WPA/TKIP that uses RC4 and is considered as an extension of WEP with some improvements, but the encryption of TKIP is still weak as WEP. AES encryption was implementing in MATLAB [15]. Attacks on WPA and WPA2: Dictionary attacks and WPA handshake capture are the most popular attacks on WPA and WPA2 protocols. The attacker can simply wait for a handshake to occur or active force by one using a deauthentication attack on a target victim PC. Once the four-way handshake is captured, the attacker uses a dictionary file that has a large number of possible PSKs together with the Aircrack-ng suite. Also, some administrators use Wi-Fi protected setup (WPS) to connect users to access point, but it can be hacked and attacked by the Reaver tool (brute force attack). U.S-CERT warns of using WPS to add a new host (Vulnerability Note VU#723755). U.S-CERT said that: "The Wi-Fi Protected Setup (WPS) PIN is susceptible to a brute force attack” [16]. 2.2.4 WPA2 using 802.1x servers Many companies recommend using WPA2 using 802.1x security protocol to overcome the dictionary and WPA handshake capture attacks on WPA/WPA2 protocols. This protocol combines the WPA2, which depends on AES encryption, with any strong authentication server. Many of these protocols enhance EAP authentication with stronger protocols such as LEAP (Lightweight EAP), EAP-FAST, EAP-TLS (Transport Layer Security) or EAP-PEAP (Protected EAP), to mitigate the dictionary attack [17]. 3 ATTACKS ON WLAN SECURITY 3. Shift rows: a transposition step where each row of the state is shifted cyclically a certain number of steps. This section, we classify all WLAN attacks that target to breach one or more of the six standard security requirements on the two levels the frame level and the RF level. There are many attacks on 117 T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016 the frame level. Table.1 summarizes the important wireless attacks at the frame level. Table 1: The Frame level Wireless attacks Security Attack Description Element If data are Man in the unprotected, Confidentiality middle hackers can attack (MITM) intercept data. Integrity Programs that Dictionary try large attack passwords to Authentication get the correct one. Access control A cryptanalytic Bit-flipping attack that can Integrity be used against any encrypted data. The attacker uses the role of Handshake the authorized Authentication stole client to steal the handshake between access point and client. If a network has a weak user Unauthorized authentication, Access control client it is very easy access for a hacker to achieve access and take information. Table 2: The RF level Wireless attacks Attack Description Security Congesting a (Denial of network resource Availability Service) requests. An unauthorized access point that has been connected to the Availability Rogue wired network, Access which can Points provide malicious or unauthorized users with open access to the LAN. If the hacker has a rogue access point with Availability IP enabled DHCP, it Spoofing can effect on the main DHCP in the network. 4 THE PROPOSED WLAN SECURITY SOLUTION In this section, the proposed solution for WLAN security is discussed. It requires working in three critical wireless security areas [18]. Namely,  Data confidentiality and Integrity  Authentication and Access control  Intrusion Detection and Prevention There are many attacks on the RF level.Table.2 summarizes the important wireless attacks at the RF level. Fig.1. The proposed WLAN solution [18] 118 T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016 Figure 1 demonstrates the frame security level consists of the two areas: (Data confidentiality and Integrity) and (Authentication and Access control). The RF security level consists of the Intrusion Detection and Prevention area. 4.1 The Frame Level Security The frame security areas are discussed in the following. 4.1.1 Data confidentiality and Integrity Confidentiality represents the data protection while being transmitted over the wireless channel. Confidentiality achieved through the use strong encryption and different kinds of the algorithm to encode data at the transmitter and decode it at the receiver. Integrity is achieved by adding checksums or redundant data that can be used to guarantee error free decryption. WEP protocol uses RC4 which can be exposed to a bit-flipping attack that damages the integrity of data frames [10]. WPA2/AES provides the strongest wireless encryption [19]. 4.1.2 Authentication and Access control WLANs security protocols use WPA handshake as challenge handshake authentication protocol. It can be hacked by a man in the middle attack. WPA/TKIP and WPA2/AES protocols participate in using WPA handshake as Authentication protocol. This is not enough for Authentication process [20]. Dictionary attacks and WPA handshake capture are the most popular attacks on WPA and WPA2 protocols. The attacker can simply wait for a handshake to occur or active force by one using a deauthentication attack on a target victim PC. To overcome some drawbacks of the existing authentication scheme, IEEE has suggested an alternative authentication scheme based on the IEEE 802.1x model [21]. Practically, two modes can be assigned to the WPA/WPA2 1) Personal mode: pre-shared key password is provided. 2) Enterprise mode: username and password are provided. IEEE 802.1x Protocol IEEE 802.1x is based on the Extensible Authentication Protocol (EAP) and it offers the choice of several methods to protect authentication exchanges. Practically, authentication methods based on the IETF's, known as Transport Layer Security (TLS) standard, can satisfy strict encryption and authentication requirements. Three TLS based protocols have been developed for use with the EAP and are suitable for deployments with wireless LANs [21], namely 1) EAP -Transport Layer Security (EAP-TLS) 2) Tunneled Transport Layer Security (TTLS) 3) Protected EAP (PEAP) Dictionary Attack on Vulnerable Cisco LEAP Cisco LEAP (Lightweight EAP) uses the same password as Windows, which may offer the side benefit of being able to access any other resources which rely on the windows password and use Microsoft CHAP (MSCHAP). It does not use a SALT in its NT hashes and uses a weak 2 byte DES key and sends usernames in clear text. Further threats are possible if the victim uses the same password for other applications. As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks [22]. One requirement for this attack to occur is that the attacker captures the authentication while it is occurring. By default, a client will re-authenticate every 30 minutes, but for the impatient attacker, as LEAP offers the option of ending a victim’s connection so that they must re-authenticate. This is accomplished by sending an EAPOL-Logoff packet. The client will then need to re-authenticate, allowing the attacker to observe the entire process and capture the relevant information. Cisco recommends users to move to other EAP methods, such as EAP-FAST, EAP-TLS or EAP-PEAP, to mitigate the dictionary attack [23]. This paper performs the enterprise mode of IEEE 802.1x security on strong and free authentication protocol that depends on the Linux RADIUS EAP-TLS server. The Linux system is used here because it is free, strong and open source system. Free RADIUS Server (The proposed Authentication server) Free RADIUS is used in wireless environments to allow multiple devices to access databases, transfer files, update or change information. It doesn’t require any specific hardware where users need only the username and password. If the company uses a certificate, this is to be given to the employee to have the rights to access the network and the database of the company. It is free software to be used with no additional cost because it depends on a Linux system that is compatible with all the used protocols and able to produce its own "security certificates” [24]. It does not require licenses to be bought or most important of all, it does not take much time to configure and run. 119 T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016 However, Free RADIUS operates on UNIX and thus it does not work on Windows. Free RADIUS lacks a Graphical User Interface (GUI) so everything is done through command line. It is considered as one of the strongest authentication servers and has the important advantage of being free [25]. 4.2 The RF Security Level The RF Security Level has achieved by building one or the two systems: vulnerable if WEP is used with a key that depends on IV. The IV is a 24-bit field which is transmitted in a clear-text as a part of a message and is used as a part of the secret key to generate a pseudo-random number sequence. The sequence is XORed with the data to produce ciphertext that represents encrypted data, so a bit-flipping attack can make ciphertext XOR and key give the plain text easily [27&28], as shown in Fig.2. 1) Wireless Intrusion (Wireless IDS) 2) Wireless Intrusion (Wireless IPS) Detection System Prevention System Wireless IDS/IPS: Intrusion detection and prevention is done on the RF level. It involves scanning radio to detect rogue access points or ad hoc networks to regulate access to the network. It must be able to identify and remove the threats, but allows the neighboring WLANs to co-exist while preventing [26]. Fig.2. The WEP attack process [29] 5. WLAN SECURITY EXPERIMENTS AND RESULTS The duration of generating random repeated IVs is calculated [29] by equation (1): In this section, we build the proposed solution that divides to to frame and RF security levels; also, we perform practical experiments and conclude the results on the Frame security and the RF security. Penetration tests are used to examine the security strength of each WLAN protocol. Backtrack software is used as attacking software for testing the WLAN. Open source Linux software is used for building Free RADIUS authentication server (the frame security), also, it is used for building Snort IDS server (the RF security) that connected to the wireless LAN. 5.1 The Frame Security Experiments The WLAN lab test consists of a host that it is connected to the target AP. It acts the role of victim and another host which is the attacker that try to steal the connection of the victim PC with backtrack software. Both the victim PC and the attacker are connected to the same wireless LAN There are three experiments on the frame security level are performed as following: 5.1.1 Experiment 1: Testing the WEP protocol This test proves that the wireless network is (1) Assume that an average frame length of 1500 bytes and a data transfer rate of 11Mbps, we obtain IV repetition duration of [29]: (2) It means 305 minutes at most to crack the WEP key. Practical Steps: To attack the WEP protocol, a large number of IVs transmitted through the wireless media has been easily collected. This test shows that the attacker can crack a WEP key using the Backtrack commands at few times up to some minutes to capture 20,000 to 40,000 packets of data. Table.3 shows the main steps of the experiment test Backtrack commands. 120 T. M. Refaat et. al / International Journal of Computer Networks and Communications Security, 4 (4), April 2016 Table 3: The Backtrack system steps Results: Command Airmon-ng Airmon-ng start wlan0 Airodump-ng mon0 Mac changer –m Airodump-ng –c 6 --bssid A0F3C1600497 -w lab1 mon0 Aireplay-ng -1 0 mon0 A0F3C1600497 –h 940c6d88de4a –x 1024 Description Check the connectivity of connected devices. Start the wireless card wlan0 to operate in monitoring mode. Show the available access points in the range and its channels and its connected clients. Change the Mac address of the card. Capture target access point data that its channel is 6 and store data in lab1 doc. Associate the wireless card to access the target access point. As demonstrated above, WEP cracking can be accomplished within few minutes after capturing 20k data packets. Experiment 1 takes 11 minutes to crack the WEP key. WEP protocol cannot provide the required data confidentiality for the wireless system. Also, RC4 encryption of WEP does not give the required data integrity because it achieves a linear known constant relation (CRC) [10&28]. The CRC-32 ICV is a linear function of the message. An attacker can easily make the victim’s wireless access point decrypt packets for him. This is simply done by capturing an encrypted packet stream, modifying the destination address of each packet to be the attacker’s IP address, fixing up the CRC-32, and retransmitting the packets over the air to the access point. The access point will decrypt the packets and forward them to the attacker [28]. IV and ICV based attacks are independent of the key size; even with huge key sizes, the attack takes the same amount of effort. 5.1.2 Experiment 2: Testing the WPA/TKIP and WPA2/AES protocols (The common Authentication vulnerability) Increase data collection packets by the following command: root@ bt: ~# aireplay-ng -3 -b A0F3C1600497 mon0 In this step, additional data has been injected to increase traffic on the wireless network. The aireplay-ng command should be run in the separate window to inject the packets in the network. Finally, when the number of captured data up to 20,000, it can crack the WEP key easily with the following command, see Fig.3, root@bt: ~# aircrack-ng lab01.cap