The Art of War Driving and Security Threats -A Malaysian Case Study Biju Issac, Seibu Mary Jacob and Lawan A. Mohammed Information Security Research (iSECURES) Lab Swinbume University of Technology (Sarawak Campus) Kuching, Sarawak, Malaysia. {bissac, sjacob, Imohanmmed) Abstract-The fact that Wireless Local Area Networks (WLAN) use radio spectnum for transnitting data has with it pros and cons. Mobility without wires and the ease to move around to connect to network resource
of 6
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  The Art of War Driving and Security Threats -A Malaysian Case Study Biju Issac, Seibu Mary Jacob and Lawan A. Mohammed Information Security Research (iSECURES)LabSwinbume Universityof Technology (Sarawak Campus) Kuching, Sarawak, Malaysia. {bissac, sjacob, Imohanmmed) Abstract-The fact that Wireless Local AreaNetworks (WLAN) use radio spectnum for transnitting data has with it pros and cons. Mobility without wires and the ease to move around to connect to network resources has made LEEE802.11 WLANs quite popular. The users need to have a laptop with a wireless network adapter that negotiates withan Access Point. Once authenticated and associated with the Access Point, the user can easily nove around in the transmission range of the Access Point without losing dataor network connection enjoying bandwidths ofthe order of multiples of 10 Mega Bytes. On the negative side, these Wireless LANs tend to have fuzzy boundaries, nmking it easy for an intruder to capture these transmission signals with a receiving device fitted with a sensitive antenna. An analysis of these capturedpackets can be goodnews tothe intruder. We try to investigate on war driving (an act of locating wireless networksfrom within a moving vehide), on interception of transnission data from the located wireless LANs in some ofthe highways in ourcountry and on doing a briefanalysis of that, eventually discussing on the attacks and security precautions. Keywords-Packet capture, Security threats, War driving,Wireless LAN. 1. INTRODUCTION When the conceptof wireless networking evolved, the world received it with openarms and inthe recent past, the world is increasingly becoming mobile. Ubiquitous and mobile computing are thus beconing the de-facto standard in the future world of computer networks. Wireless networks however are not meant to replace wired networks. They support and complement each other. The fact of the matter is, in infrastructure mode, the Access Point needs to be connected to a wired LAN. In the forthcoming sections we tryto introducethe basic technologyof wireless networks in Section II, War drivingexercise in Section IIl, Configuration of laptop to be carried along in SectionIV, Packet capturing and observations in Section V, Statistical analysis in Section VI, WEP cracking verification in Section VII, Network traffic filtering of image/audio in Section VIIi, Privacyinvasion in Section IX, Attacks and precautions in Section X, Analysis of hacker toolsin Section Xl, Prevention measures that can be taken in Section XH and Conclusion in SectionXIII. IL. BASIC TECHNOLOGY The WirelessLocal AreaNetwork (WLAN) operates on IEEE802.11 standards. Its initial products were released in 1997. 802.l1b standard is the most popular-with a wide implementation base on wireless products. It operates from 2 Mbps up to 11 Mbps speed.802.1 Ig standard is becoming popular now, with the transmission speed of up to 54 Mbps. The above standards operate at 2.4 GHz ISM band [11. There are other IEEE standards for wirelessproducts that are scarcely available in the marketstoday like 802.11a, 802.1 1i etc. but would be available in future. We will focus our analysis onIEEE802.1 lb/g wireless LAN only. In infrastructure mode wireless LAN requires two components, namely an Access Point and a laptop computer with awireless card. Access Point acts a 2-portbridge and is connected to a wired LAN 121. It connects the wireless node to theresources in wired LAN. In 802.1 lb and 802.11g, encryption is not mandatoryand the default setup is without encryption. Theimplementer of the wireless LAN is left with that choice of enabling ordisabling encryption. As the radio transnmission happens in the air at around 2.4 GHz frequencies, the possibilities of an intruderintercepting these waves are high. He just needs a receivingdevice witha sensitive antenna. Unlike wirelessnetworks, wirednetworks have an inherent security in the fact thatthe data transmission happens through the wire that is shielded through the ducts in the wall of a building that is not easy to tap or can be protected by strong physical access controllike locks on the doors of wiring closets etc. IEEE802.1I b/g uses WEP (Wired EquivalentPrivacy) as its encryption protocol. It can be 40 bit or 104-bit encryption. It is a proven fact that WEP's design is flawedand the encryption key can be knownby capturing sufficient number of packets [31. IEEE802.1 lb/g also uses RADIUS server with Extensible Authentication Protocol (EAP) for backend authentication. This user authentication can harden the security of wireless network. WPA with PSK or RADIUS authentication with TKIP/AES is what we can find in the current 802.1 l g equipments. III. WAR DRIVING IN HIGH WAYS As we understood the fuzzy boundaries of wireless network installations becauseof radio transmissions and the ease of sniffing, we thought of testing it ourselves by driving around with a laptop computer in some of the highways. We are not aware of any law of the land that prevents a person from eavesdropping a wireless network, especially when the radio wavesbreak out into the openand public space. We think the line of division that demarcates lawful activity from lawlessactivity in such a case would be very thin and sensitive. We went to different areas where wireless networks were detected and started capturing packets using the pre- configured laptop we had. For getting a more random sample, we drove to different places, at differenttimes. The ease of wireless data capture is well illustrated in the figure below. It is called as parking lot attackin 141. 14244-0000-7/05/$20.00 02005 IEEE. 124  Figure 1. Parking Lot Atack as illustratedin [41 and diagram reproduced. Here the attackercould be equipped with a laptop in a car parking lot, intruding into the wireless [AN boundary as shown. IV. CONFIGURATION AND SETUP USED The laptop that   usedhad the following configuration: Make: Acer Laptop, Processor: Mobile Centrino processor Memory/RAM: 256 MB Hard Disk Capacity: 20 GB with Onboard wireless network adapter, PCMCIA Wireless Adapter slot etc. So our laptop had 2 wireless network adapters. We used one for wireless network detection, using NetStumbler 0.4.0 software [51 and the other for 802.1 lb/g packet capturingusing Link Ferret 3. 10 software [6]. We fixed a CISCO Aironet 350 series PCMCIA Wireless adapter and configured the laptop to capture wireless packets using Link Ferret packet capturing software and appropriate network drivers. WinPcap software was also needed to be installed for packet capturing to work. The Link Ferret software can be configured to capture packets from different channels with a huge buffer size, with average packet size of around 64 bytes or more We also installed Network Stumbler software that could stumble upon/detect wireless networks as we drive around. It basically scans for any presence of wireless LAN The Network Stumbler software could show us the wireless networks and its detailslike MAC address, SSID name/network name Access Point name and details, details of encryption if enabled or the absence of it, the channel number the time stamp signal strength etc. With the Network Stumbler Scanning enabled and Link Ferret packet capturing enabled, with two laptops   did a drive-around in one of our cars onsome of our highways. As expected, wireless networks were detected and packets were captured from the needed places. The results were quite revealing. V. PACKET CAPTIURIG AND OBSERVATIONS Packet Capturing were done in various spots where wirelessnetworks were detected through Net Stumbler alerts. It was quite surprising to us that quite a number of wireless networks wereworking without encryption. They simply had no't enabled the WvnEP ption. The packet capturing done in eight different sessions were for an average duration of around 30 minutes and were captured in eight different files. These files have been merged to form a single file to do an overall analysis. For security reasons,   didn't want to draw our driving map or disclose locations. The captured packet files are mainly from differentlocations that include Petrol Stations, Banks, Financial Institutions, ShoppingComplexes and Government organizations. Other minor capturing includesHotels, Public Wi-Fi Hotspots in Cafes and other private installations. Itis unfortunate that the header of the wireless packets can reveal some interesting information, as itis transmitted in the clear. Sniffing and getting such details on a wirednetwork is not thateasy. Wireless frames/packets captured were a combinationof Control Frames, Management Framesand Data Frames. Control and Management Frames were much more in comparison to dataframes. Packets/Frames with their protocols and total number in brackets were as follows: IEEE 802.11(228837), IEEE 802.1(636), CDP(4), IEEE 802.2(23603), IEEE SNAP(l44lo), ARP(2746), IP(997 1), ICMP(347), IGMP(50), BOOTP(329), EGP(1), GRE(i), IPX(564), IPX RIP(14), UDP(36o4),TCP(5442), NBNS(471), NBDS(288), NBSS(3763), IPX NETBIOS(l8), NETBEUI(85), NCP I), SMB(6), FTP(i), HTTP(693), HTTPS(279), DNS(i 13), OSPF(26), SSDP(290), NNTP(28),IPX SAP(78)and NMPI(1I). Other critical informationcaptured was source, destination and BSSID (or AP) MAC addresses, source and destination node IP addresses, source and destination node open port numbers, checksum details,initialization vector(IV)value etc. This information in itself is notvery sensitive, but some of it can be used to launch attacksagainsta wireless LAN as explained under section X, especially the DoS attacks. Encrypted packets showed signs of using a set of WEP keys (against using one static key)and in some packets TKIP protocol was used. Well, we need not speak much about the data packets captured that were not even encrypted. Even though some AP's were using WEP encrypted transmnission with TKIP enabled, we could still collect quite a number of unencryptedfragmented IEEE 802.11 data frames (with Frame Control type=2, i.e. type=Data Frame). These can be used to get meaningful or sensitive information that can interest an intruder, if one uses appropriate tools and showsome patient effort. Forexample, EtherPEG and DriftNet are free programs [7], [81 that show you all the image files like JPEGs and GIFs traversing through our network. It works by capturing unencrypted TCP packets, and then grouping packets based on the TCP connection (i.e. from details determined from source IP address,destination IP address, source TCP port and destination TCP port). It thenjoins or reassembles these packets in the right order based on the TCP sequence number and then looks the resultingdata for byte pattems that shows the existence of JPEG or GIF data [7]. This is useful when one gets connected  illegally to a wireless LAN. We tested Driftnet execution onLinux as in section VIII. Overall, we located 50 Access Points or peers in wireless networks without WEP encryption and 21 Access Pointsor peers with WEP encryption using NetStumbler. We could even connect to anencryptedpeer wireless network in a government organization by typing in a random password. The PC or laptop thus connected was assigned an IP address. VI. STATISTICAL ANALYSIS Packet Analyzers like Ethereal [9], Packetyzer 110] and Link Ferret monitor software [61 were used for the detailed analysis of packets. Using filters we could list out only the packets we areinterested in. Each of those packets could then be analyzed with its detailedcontents. We did some 125  statistical analysis on the capturedpackets that showedsome indicative results. Table I gives some statistical information on data frames/packets that are unencryptedand figure 2 shows therelated graph. The captured packet files (pktl to pkt8) are from 7 different locations during different times. TABLE I. DETAILS OFTHE CAPTUREDPACKET FILES No. of No.of Average No. of Packet file to>l unencrypted unencrypted data unencrypted name datapackets packet size (in datapackets (UDP) bytes) packets/sec pktl.cap 32767 2532 1081.86 3.31 pkt2.cap 32767 7482 108.17 2.42 pkt3.cap 193211397428.34 1.05 pkt4.cap 327671465 228.15 0.45pkt5.cap 6073 2385 173.85 1.30pkt6.cap 32767 3527 83.57 4.71 pkt7.cap 32768 1558 84.79 1.13pkt8.cap 39607 2550 77.25 1.81 Merged 22883722896 241.08 2.02 The data frames considered for tabular analysis falls intothe following categories or groups -Data (frame type 32), Data + CF-Acknowledgement (frame type 33), Data + CF- Poll (frame type34) andData +CF-Acknowledgement/Poll (frame type 35). These data packets would be referred to as unencrypted datapackets (UDP) from henceforth. Data Frame type 32 doninates the population. We also noted Data Framesof type 32 that are encrypted with WEP, which are not considered for analysis. The sample considered foranalysis consists of unencrypted data frames and unencrypted fragmented data frames -both containing visible data sections in HEX format as viewed through Ethereal. Our packet samples are only indicative and they are not very exhaustive. Hence our results arealso indicative in nature. 45 ffb0 7|g 4R ; 1°g4 l39 27 CL. es35- .9 030 v2 22.835 .15 7 737 7.78 4-4754.75 1 23 4 567 8 Capture Sessions Figure 2. The graph showing the percentageof unencrypted data packets (UDP) captured from eight differentsessions, based onTable 1. Framesof type Data + Acknowledgement (No data, frame type37), Data + CF-Poll (No data, frame type 38), Data + CF-Acknowledgement (No data, frame type 39), QoS Data (frame type 40) and QoS Null (No data, frame type 44) are not considered fortabular analysis, since theycontain no data payloador irrelevant data. From the above table we note that the average number of unencrypted data packets per second is 2 and the average unencrypted data packet size is around 241. Using Conditional Probability on the 8 samples collected, the following is observed. Given an unencrypted packet, there exists a 15 averagechance that it is adata packet. Thus mathematically, PO(DP   UP) = P(DP nUP) = 0. 15, where P(UP) DP is Data Packet and UP is Unencrypted Packet. Grouping the capturedpackets based on the source company/organization yielded table 1I. The 95 Confidence Interval was also calculated, assuning 5 error in captured packets. The results are quite revealing. TABLE nI. SOURCE OF CAPTURED PACKETS WITH 95 Cl CALCULATION Placket Type of Company 95 Confidence Interval name Organization for the proportion of unencrypted data packets pktl .cap Petrol Station & Private (7.44%, 8.02%) klcp Instalations 74 80 ) pkt2.cap Bank Financial Institution (22.38%, 23.29%) pkt3.cap Petrol Station (6.87%, 7.60%) pkt4.cap Multistoried Shopping (4.25%, 4.70%) Complex pkt5.cap Bank Financial Institution (38.04%, 40.50%) pkt6.cap Bank Financial Institution (10.43%,11.10%) pkt7.cap Government Organization (4.52%, 4.99%) pkt7ncap ffice pkt8.cap Goverment Organization/ (7.49%, 8.07%) Office Overall in all the packets combined, we found the broadcast frames to beof 41 (with 28 bytes), Multicast frames to be 15 (with 35 bytes) and Directed frames to be 43 (with 36 bytes). VII. WEP CRACKING VERIFICATION Verification of WEP cracking was done on packets captured within our research lab with encryption using a static 104-bit WEP key (abc012fde789cde567afb456ad) as shown in figure 3. The cracking was done usingAircrack software and it took only 5 seconds with around 6 nillionpackets, as WEP design was proved to be flawed. WEP key is crackable because of IV collision where the same IV night repeat after sometime [I I]-[13]. aircrack 2.1   Got 256947 unique IUs I fudge factor   2   Elapsed time I08:88:851: tried 11 keys at 132 k/n KB depth votes 0 8/ 1 AB( 59> 85( 15> E9C 15) 68C 44EC 3) S3C 3> 1 0/ 4 C8 31) D6C 16) 3C1 5) 6CC 15) EA( 13) C6< 18> 2 8/ 1 12( 63) CC( 18> 8SC 15> SDC 15) FM 13)GAC 12> 3 8/ 1 PFDC 344> 8CC 26> 6C( 25> 2PC25) PBC 21) 6D<28) 4v/ 1 E7C 186) E5C 25> 8CC 28) DSC 15) 59( 14) 54C 14) S 8. 1 89C 184) FP6 15> SE( 14) F2C 13) 45( 12) 8P< 12> 6 8/ 1 CD( 66> 6EC 26> 57( 28> D2C 17) M 15> B3< 15> 7 8. 1 ESC 129)IC( 22> UC 17 12( 12) 3FP 18) 96< 9)a 3/ 6 67C 13> ASC 12> lPC 12)2B< 9)ICC 9) 11C 8) 9 8/ 1 AFC 72>58C 18) 67< 12) 43C18) AB( 9) M 9) 1e 8/ 1 B4C 69> 11< 28> 87C 15) EEC 11) EFP 8> DP 8) 11 8/ 1 56C 12?) SEC 18> 52C17) SC 14) BSC 11> 3X< 9)128/ 2 ADC 88> IM 45> CS( 17) 53C 15) 43( 15) C9C 14) XEYV FOUND t AIC0I2FSE?9SCDE56?FP456AD I Press Ctrl-C to exit. Figure 3. Aircrack software successfully cracked 104-bit WEP key encryption. Around6 million packets were used. VIII. NETWORK TRAFFIC FLTERING OF IMAGE/AUDIO We tested the image or audio (MPEG) filtering capability of driftnet software [8] on wireless network traffic in our research lab. The software listens to network traffic and picks out images/audio from TCP streams it observes. So once connected to a foreign wireless LAN, this can be a good hacker tool.Using ARP poisoning the attacker can 126  direct all the traffic to his laptop and filterall the images. If image/audio can be filtered, any other files (like .txt, .pdf, .doc, .htm etc) can be filtered, by writing appropriate software. We executed it as ./driftnet -a (adjunct mode of operation) as shown in figure 4. It then saves all the image files inthe network traffic to a temporary directory (/tmp/fileLVE4ifI as shownbelow)which can be processed later. With a -S option it extracts only MPEG streamed audio. w P. RN-l R. R  `~ II I 4SBi+X-tse t--. >iX4 /driftnet --a 1/tmp'/f i leLVE4if/ f /trip/fi leLVE4if/driftnet-42cl7092327b23c6.9if t/trp/f ileLVE4 if/driftnet-42cl7093643c9869,gif I/trip/fi ieLVE4i f/driftnet-42c1709366334873 jpe9 l/trip/fi leLVE4if/driftnet-42c1709474bOdc51.jpeg 1/trip/f ileLVE4if/driftnet-42c1709419495cff.gif f/trnp/fi leLVE4if/, gif /tmrp/fi leLVE4if/driftnet-42c17096625558ec.gif/trp/f i leLVE4 if/driftnet-42cl797238elf29,9if /tmp/fi leLVE4if/driftnet-42cl709746e87ccd.jpe9 ./tnp/fi leLVE4if/driftnet-42cl7O983dlb58ba, gif X/trip/f ileLVE4if/driftnet-42cl7O9c5O7ed7ab.gif Figure 4. Driftnet-0.1.6 software on Linux that flters images and MPEG audio files from wireless network traffic is shown. Note the gif andjpeg images captured and stored under ltmp/fileLVE4if directory. IX. PRIVACY INVASION From the customer point of view, war driving can lead to privacy breaches. A report in [14] indicated that customers are worried about their privacy and potential intrusion when using wireless and mobile devices. In certain transactions, customers would like to beanonymous. The anonymity will be disclosed if the MAC address of the device is identified and the owner of the device is known. Other privacy concern is the identification of user's location. User's location generally describes their whereabouts or reference point based on the AP address. This shows that the usersare within the coverage area of the AP.Moreover, sincethe MAC addressor the IP address of his devicecan be captured, if the user of the device can be identified, it is easy to approach theuser with a good or bad intention. For instance, users entering a particular wireless zone canbe targeted withnotices containing viruses or wonns with the intension of damaging their devices. Other dangers include manipulation of user's behavior, users being blackmailed, or even physically attacked. These attacks can easily be organized by tracking and tracing user'slocation. Tracking refers to the plotting of trail or sequence of locationwithin a space that is followed by a user over a period of time [151. A real-time trace refers to identification of an object or person at any particular point in time, witha degreeof precision [161. By tracking a person at varying time intervals, it is possible to observe his behavior. Other threats associated with location as described in [171 areindividual danger, social danger, and organizational danger. X. ATrACKS AND PRECAUTIONS Unfortunately, the installation of a wireless networkopens a 'back door' into the intemal wired network that allowsan attacker access intothe network and it s resources. Thus the attacker can do the'parking lot attack, where the attacker sits in the company's car parking lot and accesses hosts on theinternal network [4]. Some known attacksare as follows [2]: 1) Using more sensifive antennas (with high level of directional sensitivity) anyone can pick up the RF signals of wireless LAN, say up to several miles. If sufficient numbers offrames are captured, WEP key can be reconstructed using software application programs like Airsnort, WEPCrack andAirCrack (as demonstrated).Precautions: Consider antenna positioning and the use of shielding. Position AP antenna so that signals are more powerful in the needed areas. Use aluminum foil shields around the AP to weaken thesignals going outsidethe building premises. Lower thetransmit signalstrength (to say 5mW or lOmW), thus reducing the range of RF signals generated by the AP. 2) The attacker can also pretend to be a legitimate user of the network, say through MAC spoofing. Masquerading can be very dangerous as it provides an open door to one's network resources. It canbethrough SSIDname broadcast or WEP weakness. Precaution: A triple-A approach can be considered - Authentication, Authorization andAccounting. 3) Typically AP's control access by permitting only those stations with known MAC addresses.Either the attacker has to compromise acomputer system that has a station, or he spoofs withlegitimate MAC addresses in frames that he manufactures. By setting his own MAC address to a legitimate MAC address,theattacker can access the wireless network. Precaution: Restrict or filter MAC addresses in AP or/and in RADIUS server. Use intruder detection/prevention software. 4) Certain bits could be flipped inthe frame by theattacker, changing the Integrity Check Value without the knowledge of the user. Precaution: Encrypt the 802.11frames within a layer 3(network layer) wrapper, so that anytampering cannot go undetected. We may need to use IPSec tunnel as on VPN on WLAN or TKIP (Temporal Key Integrity Protocol) encryption.5) In Denial of Service (DoS) attack, the intruderfloods the network with either valid or invalid messages affecting theavailability of the network resources. Due to the nature of the radio transmission, the wireless LANs are very vulnerable againstdenial of service attacks. The DoS attacks can be launched against APs or clients. Ping flooding the AP to paralyze its operation is a common attack. SYN flooding, Smurf attack, Fraggle attack are all flooding attacks that canbe launched on awireless LAN. In other attack on clients, some tools like wlan-jack from air-jack suitetools can be used to broadcast disassociate messages to clients. Precaution: Network monitoring, usage of IDS or IPS software and deny access to foreign stations by using a mutual authentication (like PEAP with MSCHAPv2). 6) Under Accessing AP's setup console, the use of web browser or Telnet program to access the setup console of an accesspoint canbe apossibility. This allows theattacker to modify the configuration of the access point. Precaution: Create new user name and password for authenticationfor AP's setup access. 127
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks