2 questions 2 references 130 words per answer

130 words per questions. use module as one reference and one online reference ( no wiki)

1. Select one topic for discussion that you consider important regarding modern network security architecture. If the topic you want to discuss has previously been covered in one of the Modules, please enhance and elaborate on it. The following is a list of possible topics:

VLAN architecture

Firewall architecture

802.1x /AAA

SSL VPN architecture

Secure wireless LAN architecture

Many more (you may choose your own topic)

2.

Enhance and elaborate on the wireless LAN and Bluetooth related security topics covered in Module 9. Share any additional thoughts you may have on them.

UMUCMonitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing

CSEC 640

© UMUC 2012 Page 1 of 51

Contents
Topic 1: Analogy ……………………………………………………………………………………………………………… 2 

Analogy: The Magic of Encryption ………………………………………………………………………………….. 2 
Topic 2: Module Introduction …………………………………………………………………………………………….. 4 
Topic 3: 802.11 Wireless LAN Technology …………………………………………………………………………. 5 

Introduction to 802.11 WLAN …………………………………………………………………………………………. 5 
WLAN Infrastructure …………………………………………………………………………………………………….. 7 
Connecting to a Wireless Network ………………………………………………………………………………….. 9 
Understanding 802.11 WLAN Vulnerabilities ………………………………………………………………….. 14 
Basic Security Mechanisms …………………………………………………………………………………………. 15 
Activity ………………………………………………………………………………………………………………………. 17 

Topic 4: 802.11 WLAN Discovery …………………………………………………………………………………….. 19 
Tools and Scanners ……………………………………………………………………………………………………. 19 
Rogue Hunt ……………………………………………………………………………………………………………….. 22 

Topic 5: 802.11 Security Protocols …………………………………………………………………………………… 23 
IEEE 802.1x/EAP ……………………………………………………………………………………………………….. 23 
Encryption Protocols—A Comparison …………………………………………………………………………… 25 
WEP …………………………………………………………………………………………………………………………. 27 
WEP Attacks ……………………………………………………………………………………………………………… 29 
ChopChop Attack Demo ……………………………………………………………………………………………… 31 
WPA/WPA2 Attacks ……………………………………………………………………………………………………. 41 
Activity ………………………………………………………………………………………………………………………. 45 

Topic 6: Bluetooth ………………………………………………………………………………………………………….. 47 
What Is Bluetooth? ……………………………………………………………………………………………………… 47 

Topic 7: Summary………………………………………………………………………………………………………….. 49 
Glossary ……………………………………………………………………………………………………………………….. 50 

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 2 of 51

Topic 1: Analogy

Analogy: The Magic of Encryption

Wireless LAN Security
CSEC 640 – Module 9

The Magic of Encryption
IT security managers use a variety of encryption protocols, cloaking mechanisms, and
address filtering processes to protect their companies’ proprietary data. Similarly, the
Modern Museum of Magic uses security protocols to safeguard its magic books.

Step 1
The Modern Museum of Magic displays props, sells souvenirs, and hosts a daily magic
show. Headed by the popular magician Maddox, the museum stores the secrets of every
magic trick in a central safe in the museum’s basement.

Maddox: Hi, I’m Maddox. I am the head of the Modern Museum of Magic. To ensure
that our magic trick books are only accessed by authorized people, we follow strict
security protocols.

Maddox: These protocols allow the books to travel safely from the safe to my office and
back without people getting their hands on them.

While Maddox is busy guarding his magic books, across the street an IT manager,
Justine Jackson, is busy guarding the data on her network.

Justine: Hello, I’m Justine. I’m a manager at a reputable IT company. We’ve installed a
new wireless network to store and transfer our proprietary data. To protect this data, my
team has placed layered security protocols that guard the network at multiple
checkpoints.

Justine: All possible vulnerabilities that can be exploited, such as logins and file
transfers, have been given special encryption mechanisms.

Step

2

Museum
Authorized persons need an ID card to enter the museum. Senior managers need
biometric clearance to enter the basement and an encrypted 8-digit password to access
the safe.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 3 of 51

Maddox: The password used to enter the safe is changed daily by an outsourced
security agency and sent to me at midnight. These layers of protection ensure that the
magic trick books are protected.

IT Company
To access the wireless network, authorized employees must log in with unique
usernames and passwords. To transfer confidential reports, they must use WEP and
WPA encryption codes. If at any point the network is under attack, network
administrators can hide or cloak the network’s SSID so that hackers will not be able to
detect it.

Justine: Cloaking the SSID is a trick similar to Maddox the magician making the Empire
State Building disappear!

Step

3

Defense-in-Depth Strategy
Network protocols, like the different layers of museum security, are more difficult to crack
as you get deeper. This is known as a defense-in-depth strategy and is adopted by most
software engineers.

It is a security mechanism that makes it difficult for hackers to accomplish their goal.
Only the most determined person—who has knowledge and the required skill—can
penetrate the security layers. There is no foolproof security, but there is reasonable
prudence.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 4 of 51

Topic 2: Module Introduction

Wireless communication is one of the cornerstones of digital infrastructure. Consumer
electronic devices, such as cell phones, laptops, and televisions, all rely on wireless
local area networks (WLANs) to transfer voice and data. Corporations rely on WLANs to
stay connected to their employees and clients.

As WLANs become more widespread, the security implications of using them also
become critical. Millions of users transfer personal and privileged information daily on
their WLANs. It is paramount that these wireless networks provide their users reliability
and security against hacker theft.

This module introduces WLANs and examines two of the most commonly used wireless
technologies, 802.11 WLAN and Bluetooth. The module discusses how these
technologies are structured, the attack vectors to which they are vulnerable, and the
security mechanisms that keep them resilient.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 5 of 51

Topic 3: 802.11 Wireless LAN Technology

Introduction to 802.11 WLAN

802.11 wireless local area network (WLAN) is today’s most widely used technology for
data transfer.

Technology Standards
Developed by a working group of the Institute of Electrical and Electronics Engineers
(IEEE), the IEEE 802.11 standard refers to a family of specifications for WLAN.

The standard has continuously improved with the release of 802.11a, 802.11b, 802.11g,
and 802.11n. 802.11g is the most widely used standard, and 802.11n is the most
recently developed standard.

Communication Technique
802.11 WLAN technology uses radio frequencies to facilitate communication. The rate of
data transfer, the radio frequency used, and the range of mobility differ for each 802.11
variant.

IEEE
Standard

Top Data
Rate

Radio
Frequency

Approximate
Range

802.11 2 Mbps 2.4 Ghz 60 ft

802.11a 54 Mbps 3.7/5 Ghz 100 ft

802.11b 11 Mbps 2.4 Ghz 125 ft

802.11g 54 Mbps 2.4 Ghz 125 ft

802.11n 300 Mbps 2.4/5 Ghz 230 ft

Benefits and Limitations
The 802.11 WLAN offers many benefits to its customers but has a few limitations.

Benefits

1. Mobility: A WLAN enables wireless devices to join an IP LAN. This allows wireless

network users to connect to existing networks and still roam freely with their devices.

2. Ease of Deployment: Unlike wired networks, wireless networks do not require
running cables. These cables are time-consuming to create, expensive, and often
involve construction of infrastructure.

3. Flexibility: Once wireless infrastructure is implemented, service can be provided to

many clients without changes to the infrastructure. This kind of flexibility is a good
solution for clients whose coverage area constantly increases or decreases or who
find it costly to implement a wired solution.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 6 of 51

Limitations

1. Bandwidth: Even the fastest wireless connection is slower than a wired connection.

For instance, the top speed of 802.11n is 300Mbit/s, whereas wired connections
easily go up to 1Gbit/s, depending on the network interface card.

2. Security: Communication transmitted on a WLAN is available to anyone within the
transmitter’s range whose equipment includes an appropriate antenna.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 7 of 51

Topic 3: 802.11 Wireless LAN Technology

WLAN Infrastructure

The hardware used in 802.11 WLAN includes the network interface cards (NICs) used
by the clients and the access points (APs) or routers available from the service provider.
For instance, this diagram shows a wireless client and the NIC card attached to it; a
wireless AP/router that is attached to the provider’s server; and the network channels
that transport data between the NIC and the AP.

An IEEE 802.11 WLAN consists of one or more basic service sets (BSS). The BSS is a
basic building block of a WLAN. A BSS includes an AP and one or more stations (STAs).
An STA is a wireless endpoint device. Typical examples of STAs are notebook
computers with IEEE 802.11 capabilities. The AP in a BSS connects the STAs to
external (e.g., Internet) or internal networks.

Source: Scarfone, K., Dicoi, D., Sexton, M., & Tibbs, C. (2008). Guide to Securing Legacy IEEE 802.11
Wireless Networks. National Institute for Standards and Technology. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1

NIC
Clients use wireless NICs to connect to any available access point, such as a universal
serial bus (USB), a peripheral component interconnect (PCI), or a personal computer
(PC) card developed by the Personal Computer Memory Card International Association
(PCMCIA).

AP
Access points are wireless switches/routers that connect the wireless client to a wired
network. Connecting to an AP is similar to plugging into a wired network, as APs are
layer 2 devices that function as an Ethernet hub, router, and switch at the same time.

APs have the option of broadcasting their service set identifier (SSID) to allow clients to
distinguish multiple networks in the area. Multiple APs can be combined to provide larger
coverage while still appearing as a single network.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 8 of 51

Channels
Each AP requires only a fraction of the frequency associated with the standard which it
is operating. These fractions are referred to as channels, which vary from 10 to 40 MHz
in width depending on the standard.

For example, an AP operating on the 802.11g standard can choose from 14 overlapping
channels in the 2.4 GHz range. Each channel has a width of 22 MHz.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 9 of 51

Topic 3: 802.11 Wireless LAN Technology

Connecting to a Wireless Network

Clients connect to a wireless network through a series of transactions between the
client’s NIC and the network’s AP.

WLAN Connection Process

Step 1

The AP periodically broadcasts packets called beacons to advertise its presence. These
beacons contain the SSID or NULL, if not set.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 10 of 51

Step 2

The client NIC sends a probe request to connect to a specific AP. The AP responds to
that request with its settings, which include the data rate, SSID, and security
implementation.

Step 3

The client’s NIC sends an authentication request to the AP, to which the AP responds
with a “success” or “failure” status.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 11 of 51

Step

4

Once the client NIC is successfully authenticated, the NIC sends an association request
to the AP. The AP responds by setting up the data link and mapping an association
identifier (AID) to the client. The wireless connection is finally established.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 12 of 51

Beacon Packet
This Wireshark screenshot shows a regular beacon frame with the timestamp, beacon
interval, and SSID parameter set.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 13 of 51

Association Reply Packet
This Wireshark screenshot shows a successful association to an AP. The AID is
equivalent to a port on a switch and helps the network keep track of all the clients that
are active at a moment in time.

Reference: Wireshark product screenshot reprinted with permission from the Wireshark Foundation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 14 of 51

Topic 3: 802.11 Wireless LAN Technology

Understanding 802.11 WLAN Vulnerabilities

The 802.11 WLAN is vulnerable to attacks due to its poor configuration and encryption.

Vulnerabilities Due to Poor Configuration
While WLANs are easy to deploy, their configuration is not airtight. This poor
configuration leads to inadequate or zero security for wireless network users and results
in a wide range of vulnerabilities.

For instance, WLANs are vulnerable when:
 Wireless networks are open and do not ask for client authentication at login
 APs are placed in physically unsecured locations
 APs are configured with inadequate security mechanisms

Vulnerabilities Due to Poor Encryption
Even if the AP is physically secure and an encryption protocol is in place, the AP may
still be vulnerable due to problems with the encryption protocols themselves. Though
there are many wireless encryption standards, problems have surfaced with most of
them.

Examples:
 The wired equivalent privacy (WEP) security standard is flawed and can be defeated

in a number of ways.
 The Wi-Fi Protected Access Preshared Key (WPA-PSK) and WPA2-PSK technique

is vulnerable to brute-force and dictionary attacks.
 The Wi-Fi Protected Access-Temporal Key Integrity Protocol (WPA-TKIP) can be

vulnerable to (denial of service) DoS attacks.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 15 of 51

Topic 3: 802.11 WLAN Technology

Basic Security Mechanisms

To provide a solution to the poor configuration issues faced by the WLAN 802.11,
network operators employ two basic security mechanisms: they cloak the network and
filter Media Access Control (MAC) addresses.

Step 1
The Transmitting Beacon
The beacon frame is a management frame in 802.11 WLAN. It contains information
about the AP transmitting the beacon, specifies the time interval between beacon
transmissions, and lists the supported data rates, timestamp, and the SSID of the
network.

Step 2
Cloaking the Network
Any unauthorized person equipped with a PC, a wireless sniffing tool, and a wireless
card or antenna can access the transmitting beacon. Through the beacon, anyone can
scan or eavesdrop on the network to locate user credentials and confidential data. The
operator of the AP can choose not to broadcast the SSID of the network. This is known
as network cloaking.

Step 3
Network Still Visible
In a cloaked network, only people who know the network’s name will be able to connect
to it. However, disabling the SSID in the beacon broadcasting still leaves the network
open. The presence of the network is still visible to everyone in range, and the network
name could be determined by a third party who listens in on legitimate clients connecting
to the network.

Step 4
Decloaking the AP
Cloaking, however, is not foolproof. Hackers can still intercept the traffic generated by
clients and discover the network. When a client joins an AP with cloaked SSID, during
the authentication the SSID is sent in plaintext. This transmitted data is visible to anyone
in range, and hackers can use the observed transmission to infer the presence of a
cloaked network and “decloak” the AP.

Step 5
MAC Address Filtering
The other option is allowing only certain MAC addresses to access the network. Each
NIC has a unique MAC address assigned to it. This address can be used to identify the
make and model of the NIC. The AP operator can use these MAC addresses to provide
service only to known NICs. This is known as MAC address filtering.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 16 of 51

Step 6
Filtering Effort Defeated
However, there are loopholes to filtering MAC addresses. Hackers can spoof an
authenticated client’s MAC and connect to the network once the client is no longer
associated with the AP and easily defeat the filter.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 17 of 51

Topic 3: 802.11 WLAN Technology

Activity

These are the steps required to establish a WLAN connection. Can you place them in
the correct order for the WLAN connection to be established?

Steps Correct Order

The NIC sends a probe request to connect to a
specific AP. The AP responds by communicating
the data rate, SSID, and security implementation.

The AP broadcasts beacons with the SSID.

The NIC sends an association request to the AP.
The AP responds by setting up the data link and
mapping an AID to the client.

The NIC sends an authentication request to the
AP. The AP responds with a “success” or “failure”
status.

Correct answer:

Steps Correct Order

The NIC sends a probe request to connect to a
specific AP. The AP responds by communicating
the data rate, SSID, and security implementation.

2

The AP broadcasts beacons with the SSID.
1

The NIC sends an association request to the AP.
The AP responds by setting up the data link and
mapping an AID to the client.

4
The NIC sends an authentication request to the
AP. The AP responds with a “success” or “failure”
status.

3

Feedback:
Here is the correct order of the steps required to establish a WLAN connection:

1. The AP broadcasts beacons with the SSID.
2. The NIC sends a probe request to connect to a specific AP. The AP responds by

communicating the data rate, SSID, and security implementation.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 18 of 51

3. The NIC sends an authentication request to the AP. The AP responds with a
“success” or “failure” status.

4. The NIC sends an association request to the AP. The AP responds by setting up the
data link and mapping an AID to the client.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 19 of 51

Topic 4: 802.11 WLAN Discovery

Tools and Scanners

WLAN discovery is the process of listing all available wireless networks within range and
is the first step in wireless penetration testing, or “pentesting.” WLAN discovery tools fall
under two categories: active and passive scanners.

Active Scanner

Step 1

Active scanners send probe requests to all nearby APs with SSID set to “ANY.”

Step 2

Most routers reply to these probe requests with broadcast beacons, which the scanner

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 20 of 51

uses to detect the existence of an AP. Broadcast beacons are transmitted by all APs
periodically and usually contain the SSID. Active scanners can discover these networks.

Passive Scanner

Step 1

Passive scanners monitor all traffic generated on the radio frequency, including
broadcast beacons.

Step 2

They are able to detect “hidden” networks by inferring the presence of the networks via
data traffic. Pentesters prefer passive scanners since they don’t directly interact with any
of the APs, making them harder to spot.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 21 of 51

Step 3

Reference: Kismet product screenshot reprinted with permission from Kismet Wireless.

Kismet is an 802.11 wireless network detector and sniffer for the UNIX environment.
Kismet passively collects beacon packets to detect standard named and hidden
networks. After identifying the network, it decloaks clients that join in. This screenshot
shows the available wireless networks in range with hidden networks displayed as
.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 22 of 51

Topic 4: 802.11 WLAN Discovery

Rogue Hunt

A “rogue” wireless access point is an area where anyone can connect to a network and
access files. Sometimes, rogue access points are set up by company employees who
set up their own unauthorized connections, sometimes for convenience. Rogue points
can emerge when routers are installed in their default, unsecured state from the factory,
and others can be set up on a company LAN behind the company firewall.

Companies with LANs should run routine checks or conduct rogue hunts for
unauthorized APs as part of their regular network security audits.

Rogue Hunt
To conduct a rogue hunt, network operators periodically run wireless scanners from
multiple points in the area under investigation to spot networks and pinpoint their
physical locations.

Rogue Neglect
Most companies, however, do not use authorized wireless services, so they neglect
wireless security and fail to conduct wireless checks. Unfortunately, this attitude
encourages the possibility of rogue devices being installed by employees or hackers.

Source: Hurley, C., Rogers, R., Thornton, F., Connelly, D., & Baker, B. (2006). WarDriving and
Wireless Penetration Testing. Rockland, MA: Syngress.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 23 of 51

Topic 5: 802.11 Security Protocols

IEEE 802.1x/EAP

IEEE 802.1x, a port-based network access control, is a standardized authentication
framework and layer 2 protocol designed to provide enhanced security for wireless LAN
users. IEEE developed the 802.11i standard for WLAN authentication and authorization
to use IEEE 802.1x.

802.1x authenticates the network client or user, not the network’s hardware.
Authentication is carried out by:
 Checking the information or credentials of network clients before their data is

transmitted across network devices.
 Defining how the Extensible Authentication Protocol (EAP) frames can be

encapsulated between a user’s computer and a switch or wireless access point.
 No longer requiring the AP to advertise its SSID. Users just make an access request

to the WLAN by providing their credentials, such as username/password, to APs.

There are three primary components in the IEEE 802.1x authentication process.

Supplicant or Client
The supplicant is any user device—PC, notebook, IP Phone—that supports the IEEE
802.1x and EAP standards. Supplicants send their login credentials to the authenticator.

Authenticator
The authenticator is a switch or wireless access point that acts as a proxy to relay a
user’s credentials between the supplicant and the authentication server. When the
authenticator receives the credentials via EAP over LAN (EAPOL) frames, it passes
them to the authentication server. In this way, the authenticator manages to enforce
physical access control to the network without directly authenticating the
supplicant/client.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 24 of 51

Authentication Server
The authentication server uses the RADIUS server protocol to validate client credentials
against its user database. Accordingly, it notifies the authenticator whether the client is
allowed or denied access to the network. RADIUS is one of the most widely used
authentication protocols that provide authentication, authorization, and accounting (AAA)
functions on many network devices.

If the EAP authentication is successful, the AAA server sends an EAP success message
to the AP. This allows data traffic from the client to pass through the virtual port of the
AP. If the authentication is not successful, the AAA server sends an EAP failure
message to the AP. Then the AP blocks the client from accessing the WLAN.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 25 of 51

Topic 5: 802.11 Security Protocols

Encryption Protocols—A Comparison

There are several encryption options available for 802.11 WLAN users. Depending on
which protocol the WLAN is using, clients must carry out certain encryption and
authentication procedures when they log in to a wireless connection.

Protocol Encryption Procedure Authentication Procedure

Open Access There is no encryption used. Authentication is limited to
filtering MAC addresses.

Wired
Equivalent
Privacy (WEP)

The encryption is weak, and
the protocol is not scalable if
the network area increases.

Authentication is driven by
preshared keys (PSK) and is not
strong, similar to “open access”
authentication.

Wi-Fi
Protected
Access (WPA)

The WPA-Temporal Key
Integrity Protocol (TKIP) is
used for encryption/decryption.

Various authentication algorithms
are available: PSK authentication
and many Extensible
Authentication Protocol (EAP)-
based authentication protocols,
including 802.1x/EAP.

Wi-Fi
Protected
Access 2
(WPA2)

WPA2 supports the Counter
Mode with Cipher Block
Chaining Message
Authentication Code Protocol
(CCMP) encryption method
based upon the Advanced
Encryption Standard (AES).

Various authentication algorithms
are available: PSK authentication
and many Extensible
Authentication Protocol (EAP)-
based authentication protocols,
including 802.1x/EAP.

WEP
Wired Equivalent Privacy (WEP) is the first encryption standard developed for wireless
networks. WEP is no longer considered secure; many vulnerabilities were discovered,
particularly the weakness of the encryption.

WPA
To replace WEP, a new wireless security standard, Wi-Fi Protocol Access (WPA), was
released by the Wi-Fi Alliance in 2003. Note that WPA is an interim solution to WPA2,
also known as 802.11i. This means WPA2 is the actual wireless security standard. The
major difference between WPA and WPA2 is an encryption method used: WPA uses
TKIP, while WPA2 uses AES as default and TKIP as optional.

WPA-TKIP
The Temporal Key Integrity Protocol (TKIP) is an encryption method used by WPA. TKIP
was developed on top of WEP to fix all known vulnerabilities of WEP. Although TKIP is
much stronger than WEP, it is not perfectly secure and has a few vulnerabilities.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 26 of 51

WPA2
WAP2 is a full IEEE 802.11i wireless security specification approved by IEEE in 2004. It
supports the CCMP encryption mechanism, which is based on the AES cipher and used
as an alternative to TKIP. It also supports strong encryption and authentication methods
for ad hoc networks as well as infrastructure networks.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 27 of 51

Topic 5: 802.11 Security Protocols

WEP

The WEP encryption can be deployed in two strengths: 64-bit and 128-bit. To associate
with a WEP-encrypted network, clients use a password or secret key such as an ASCII
key or a hexadecimal key. Parts of this key, however, use plaintext, which has flawed
the WEP encryption.

WEP Encryption Process

Step 1

At the back end, WEP generates 24-bit random numbers called initialization vectors (IV).

Step 2

The IV and the key go through the RC4 algorithm, which is a random number generator,
to generate the keystream.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 28 of 51

Step 3

The keystream and the plaintext are combined through a binary XOR operation to
produce the encrypted version of the clear text, which is the ciphertext.

Step 4

For each data packet, a new IV is generated. The IV is then submitted with the
encrypted packet. However, the IV is clear text, which can be easily monitored and read
by malicious users. In the diagram, ciphertext is being sent to a destination along with
the IV.
   

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 29 of 51

Topic 5: 802.11 Security Protocols

WEP Attacks

WEP’s weakness in implementing the RC4 algorithm makes the WEP encryption
vulnerable to two types of attacks: FMS and ChopChop.

FMS Attacks
FMS attacks are named after Scott Fluhrer, Itsik Mantin, and Adi Shamir. They
discovered that about 9,000 of the possible 16 million IVs transmitted during WEP
encryption could be considered weak.

To carry out a successful FMS attack, hackers must:
 Collect at least 5 million encrypted packets to crack the WEP key. Sometimes,

though, the attacks are successful with as few as 1,500 weak IVs, and sometimes it
takes more than 5,000 before the crack is successful.

 Feed back the weak IVs collected into the RC4 algorithm to reveal the first byte of
the key.

 Repeat this process for each additional byte until the WEP key is cracked.

Source: Hurley, C., Rogers, R., Thornton, F., Connelly, D., & Baker, B. (2006). WarDriving and Wireless
Penetration Testing. Rockland, MA: Syngress.

FMS Attack Variations
Two attacks, known as the Korek and PTW attacks, are also key recovery attacks that
extend from, or are based upon, the FMS attack. For example, to recover a WEP key,
the FMS attack sends 5 million packets to the AP to get a valid response. The PTW
attack significantly reduces the number of packets sent to the AP to about 35,000–
40,000. The PTW attack succeeds with a probability greater than or equal to 50 percent
compared to the FMS attack.

ChopChop Attacks
The goal of a ChopChop attack is to decrypt a WEP data packet without knowing the
WEP master key. A keystream is made up of two parts: the (master) key and IV. Both
parts are fed into an RC4, and the RC4 generates the keystream. The goal of the
ChopChop attack is to decrypt a data packet and obtain the keystream.

Step 1
The attack begins by truncating an encrypted packet (transmitted by a victim) at the end
by one byte at a time. The goal of the attacker is to correctly guess the value of this byte.
Since 1 byte is equal to 8 bits, the attacker tries out a maximum of 256 values (all
permutations of 8 bits) to figure out the correct value.

Step 2
Via a mathematical technique developed by a person under the pseudonym koreK, the
attacker reconstructs a packet using a guessed value and the truncated packet. Then
the attacker sends the newly constructed packet back to the AP. If the attacker’s guess
is incorrect, the AP silently discards the packet. If the guess is correct, the AP generates
an error message. This error message signifies that the AP does not recognize the data
packet but is able to decrypt the packet. At this point, the attacker knows the plaintext of
the truncated byte and, thus, the keystream. The attacker repeats step 1 (keeps

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 30 of 51

truncating the packet at the end by one byte) and step 2 until a entire keystream is
obtained.

Step 3
This step is not a part of a ChopChop attack. However, if the attacker wants to obtain the
WEP (master) key, he or she can launch a PTW attack: The attacker chooses a valid
packet (e.g., a valid ARP packet), and encrypts it using the keystream obtained from the
successful ChopChop attack. Then, the encrypted packet is injected into the victim AP to
induce the AP to generate new network traffic. From this network traffic, the attacker is
able to obtain a collection of IVs and finally, obtains the WEP (master) key.

Students who want to know more about the mathematical details of a ChopChop attack
should read the following paper:
Beck, M., & Tews, E. (2008). Practical attacks against WEB and WPA. Retrieved from http://dl.aircrack-
ng.org/breakingwepandwpa

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 31 of 51

Topic 5: 802.11 Security Protocols

ChopChop Attack Demo

Introduction
This demo shows a fully configured AP with no active clients connected to it. In this
demo, the attacker carefully executes 10 steps to launch an effective ChopChop and
PTW attack. At the end of both these attacks, the client will obtain the keystream and IV,
which can be used to crack the WEP encrypted data packet.

Step 1
This screenshot displays the graphical user interface (GUI) of the AP. The client is
configuring the Web key password or preshared key (PSK), which is indicated as
b906060111. Note that the security mode of the target AP is configured to use a 64-bit
WEP key.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 32 of 51

Step 2
This is a screenshot of the Gerix Wifi Cracker, which is the GUI of the Aircrack-NG tool.
Aircrack-NG is a tool that helps attackers crack WEP and WPA-PSK encrypted keys. By
using the NG-tool, the attacker will attempt to decrypt the preshared key entered by the
client in step 1.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 33 of 51

Step 3
The attacker starts setting up. First, the attacker selects an interface. Mon0 signifies that
the monitor is set at a zero interface. In the Interface field, the MAC address of the
attacker’s wireless NIC card is also visible.

You will notice that the NG tool is able to detect all current wireless networks that exist
on the target network. From this entire list, the attacker selects testnetwork as the
target network. In the next step, the attacker will begin collecting beacon data packets
from the AP associated with testnetwork.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 34 of 51

Step 4
The hacker clicks the Start Sniffing and Logging button to begin grabbing the beacon
packets from testnetwork’s AP. The black interface window on the left side displays the
number of beacon packets that the NG tool has collected so far. This number will keep
increasing as the tool keeps scanning the AP.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 35 of 51

Step 5
All the attacker really needs is a single beacon frame to launch the ChopChop attack. In
the Aircrack-NG window on the left, you can see a captured frame from the AP. The size
of the captured frame is 346 bytes. After collecting the required beacon packet, the
attacker clicks Start the ChopChop attack.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 36 of 51

Step 6
The ChopChop attack is in progress. This is indicated by the Offset displayed in the
black window. Notice that the Offset’s value keeps decreasing by one byte as the attack
progresses. To understand why this happens, it is important to know what data is
contained in the beacon packet, and how the attacker manipulates that data.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

Beacon Packet
Now, each beacon packet that comes from the AP includes a header, encrypted data,
and an encrypted ICV value. The ICV is a 32-bit long plaintext code used for integrity
testing of data packets when they contact the AP. The attacker knows the boundary
between the encrypted data and ICV plaintext. Using the NG tool, the attacker grabs the
last byte of the data portion of the encrypted data packet.

The offset displayed in the black window keeps decreasing by one byte as the attacker
progresses (since the attacker keeps chopping the packet at the end by one byte). At
this point, the attacker has sent 24 packets to the AP to check whether the guess is
correct. The attacker will keep sending many more frames until he or she gets all correct
guesses.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 37 of 51

Step 7
This screenshot shows that the attacker has made correct guesses and obtained the
keystream. The ChopChop attack is successful!

The lower left of the Aircrack-NG window displays two important log messages for the
attacker:
1. The tool has cracked the plaintext, and it is stored in the filename “replay.”
2. The keystream is cracked and saved in the “XOR” file.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

Guessing the Value
How does the AP respond to the attacker’s guesses? If the value sent in the beacon
packet to the AP is correct, the AP will recognize this packet but will send an error
message. The error message indicates to the attacker that his or her guess is correct. If
the guess is not correct, the AP ignores it since the AP cannot decrypt anything out of
the packet.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 38 of 51

Step 8
Using the keystream obtained in the ChopChop attack, the attacker launches a new
attack—the PTW attack. The NG tool is instructed to create Address Resolution Protocol
(ARP) packets, which are XORed with the keystream. The attacker uses the RC4
algorithm to “reverse engineer” the keystream back into the master key and the IV.

Next, the tool will inject the ARP packets in the victim AP to get a list of IVs.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 39 of 51

Step 9
The attacker’s final goal is to find the master key. When the AP receives a data packet
with the keystream, the AP thinks it has been sent from the client and responds. By
injecting ARP packets into the victim AP, the attacker hopes to create a tremendous
amount of response traffic from the AP.

In each response, the AP broadcasts new IVs. By collecting enough responses, the
attacker is able to extract the IV that leads to the WEP master key. These newly
captured IVs will be used to crack the key in the next step.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

ARP Injection
The highlighted text in this screenshot displays the contents of the ARP packet to be
injected into the AP. The attacker is then asked a question: “Use this packet?”
If the attacker wants to inject this packet, then he or she must type “y” as is done in this
screenshot.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 40 of 51

Step 10
After clicking the Aircrack-ng – Decrypt WEP password button, the PTW attack resumes.
After the attack is completed, the lower left window shows the “KEY FOUND!” message.
The key is B9:06:06:01:11, which is the same as seen in Step 1.

Reference: Gerix Wifi Cracker product screenshots reprinted with permission from the authors at Tiger
Security Srl (www. tigersecurity.it). Aircrack NG product screenshots reprinted with permission from authors
of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 41 of 51

Topic 5: 802.11 Security Protocols

WPA/WPA2 Attacks

Dictionary Attacks
WPA-PSK and WPA2-PSK are both vulnerable to brute-force or dictionary attacks. The
attack relies on capturing the four-way EAPOL handshake the protocols use to
authenticate clients. The attacker can either wait for a legitimate handshake or force an
already authenticated client to reauthenticate with the AP.

Once the authentication process has been captured, the attacker feeds back a password
list or dictionary, or randomly generated passwords known as brute force into the
encryption algorithm. The attacker then compares the results to the captured
handshake.

If the results match, the password is found. Depending on the type of password,
dictionary attacks may reveal the password in seconds. Strong passwords may take
months or longer to find via the brute-force method.

Demo
Introduction
In this demo, the attacker is a malicious eavesdropper who listens to legitimate clients
connecting to the WPA2 AP. The attacker uses two tools to complete this task:
Aircrack-NG and John the Ripper.

Step 1
In this screenshot, the target access point is configured to use WPA2, and the
encryption selected is AES. The passphrase used for this demo is marangla, shown in
the top right corner.

Reference: Aircrack NG product screenshots reprinted with permission from authors of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 42 of 51

Step 2
In this screenshot, the attacker is launching an attack using the Aircrack-NG tool (on the
Linux environment).

Reference: Aircrack NG product screenshots reprinted with permission from authors of the software.

Step 3
The Aircrack-NG tool displays that it is currently monitoring the target wireless network.
For example, it has received and monitored 104 beacons. A victim client has not
appeared yet.

Reference: Aircrack NG product screenshots reprinted with permission from authors of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 43 of 51

Step 4
After receiving and monitoring 413 beacons, a probe packet comes through. This means
a wireless victim client has accessed the AP.

Reference: Aircrack NG product screenshots reprinted with permission from authors of the software.

Step 5
The attacker uses the John the Ripper password-cracking tool to generate a list of
passwords. This list is fed into the Aircrack-NG tool to crack the passphrase.

Reference: Aircrack NG product screenshots reprinted with permission from authors of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 44 of 51

Step 6
The result after running the Aircrack-NG tool shows that the passphrase marangla is
found.

Reference: Aircrack NG product screenshots reprinted with permission from authors of the software.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 45 of 51

Topic 5: 802.11 Security Protocols

Activity

Question 1: Assess the vulnerability of the following 802.11 WLAN AP and select the
issues that you notice.
Mode: 802.11B/G
Channel: 11
SSID: linksys
Encryption: WEP
Associated clients: 2
Mac address filtering: ON

Options:
a. The encryption key can be cracked with a brute-force attack.
b. The encryption key can be cracked using an FMS attack.
c. The beacon packets can be decrypted with a ChopChop attack.
d. The MAC addresses of clients are visible to an attacker.

Correct answer: All

Feedback:
All these encryption keys can theoretically be cracked by a brute-force attack. However,
some keys might take more time than others. FMS is one of the most standard attacks
against WEP. Packets encrypted with the WEP RC4 algorithm can be decrypted if the
router responds with error messages to unassociated clients. Data transmitted over the
air, which includes the MAC address of the source and destination, is visible to all.

Question 2: Assess the vulnerability of the following 802.11 WLAN AP and select any
issue that you notice.
Mode: 802.11N
Channel: 2
SSID:
Encryptions: WPA2-PSK
Associated clients: 0
Mac address filtering: OFF

Options:
a. The network is completely hidden; no clients are associated, and the SSID broadcast

is turned off.
b. The encryption key can be cracked with a dictionary attack if a user joins the network

and the association sequence is captured.
c. Packets can be decrypted with a ChopChop attack.
d. The MAC address of the AP is hidden.

Correct answer: b

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 46 of 51

Feedback for correct answer:
That’s correct.

Once a legitimate user joins the network, the captured authentication packets can be
used to compare against dictionaries.

Feedback for incorrect answer:
Not quite.

The AP will still broadcast beacons that can be used to infer the presence of a hidden
AP. The MAC address of the AP is still visible during beacon broadcasts. ChopChop
attacks work only on WEP and (in a limited way) on WPA-TKIP. Once a legitimate user
joins the network, the captured authentication packets can be used to compare against
dictionaries.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 47 of 51

Topic 6: Bluetooth

What Is Bluetooth?

Bluetooth Timeline
Bluetooth is a wireless technology that uses short-range radio frequencies to transfer
voice and data across wireless personal area networks (WPANs). These WPANs are
commonly referred to as ad hoc or peer-to-peer (P2P) networks, and consist of customer
devices such as laptops, printers, cell phones, headsets, tablets, wristwatches, and
personal digital assistants.

Though Bluetooth is a proprietary technology, it is freely available to users across the
globe. However, devices that wish to use Bluetooth must meet operability standards set
by the Bluetooth Special Interest Group. The widespread use of Bluetooth and its
adoption across multiple devices has led to Bluetooth technology being constantly
updated.

Bluetooth Versions

V 1.0 In 1998, Version 1.0 is launched. However, it cannot be operated across

different types of devices. Bluetooth 1.1 is the first real success.

V 1.2 In 2004, Version 1.2 improves the speed and audio quality of connections,
and allows Bluetooth to auto-switch to less crowded radio frequencies while
being used.

V 2.0 Later in 2004, Version 2.0 + EDR (enhanced data rate) improves
connectivity speeds up to 3 Mbit/s and allows flawless use of multiple
Bluetooth devices simultaneously.

V 2.1 In 2008, Bluetooth Version 2.1 + EDR provides a significant security
improvement for link key generation and management in the form of Secure
Simple Pairing (SSP).

V 3.0 In 2009, Bluetooth Version 3.0 + HS (high speed) uses a Bluetooth link to
establish the initial connection. Once the connection is established, data
traffic is carried on an IEEE 802.11 radio frequency at high speeds of 24
Mbit/s.

Bluetooth Attacks
There are many types of attacks that can be used to manipulate and stress devices that
use Bluetooth.

Bluesnarfing
It is common for cell phone users to set their Bluetooth status to “discoverable.” This
status allows cell phones to openly connect with other Bluetooth-enabled devices in a
10-meter radius. An adversary can take advantage of this and connect to the victim’s cell
phone to view/copy data such as phone books, pictures, and text messages. The

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 48 of 51

attacker can even copy the victim’s international mobile equipment identity (IMEI). The
IMEI is unique to each device and can be used to reroute all the victim’s incoming calls.

This invasive theft is known as bluesnarfing, the most dangerous of all the Bluetooth
attacks. Bluesnarfing is referred to as the “pull” attack. Data is pulled from the victim’s
cell phone without his or her knowledge.

Bluejacking
Bluejacking is a “push” attack that behaves in a similar manner to spam and phishing
attacks. Bluetooth-enabled devices with a discoverable status are vulnerable to
bluejacking. Unlike bluesnarfing, this attack is initiated by sending a text message to the
victim’s cell phone.

Though the messages sent are not harmful, they are designed to lead the user into
doing something harmful. Crowded places such as malls and train stations are popular
places for bluejacking pranks, as large crowds can be made to react to a message such
as “Your car has been towed; please contact security.”

Bluebugging
Bluebugging became a popular way to imitate the bluesnarfing attack. This attack also
accesses the victim’s device without informing the victim. The attack exploits the security
software in Bluetooth-enabled devices. The attacker is able to enter the cell phone
through a back door and control the commands. Often, attackers listen in on calls the
victim makes and receives, transfer data from the victim’s cell phone, and even divert
the victim’s calls to the attacker’s cell phone.

Car Whisperer
Many cars have audio systems or hands-free car kits that are Bluetooth-enabled. Any
person with a Bluetooth connection can connect with these systems/kits and listen in on
conversations in other people’s cars. The attacker needs only a Linux laptop, a
directional antenna, Bluetooth software, and the Car Whisperer program. Using these
tools, the attacker can easily connect to an unprotected Bluetooth connection in a car, as
most manufacturers use a standard passkey to authenticate and enable Bluetooth
pairing.

Fuzzing
Fuzzing software is a testing technique used by quality assurance and security experts
to strengthen Bluetooth-enabled devices and 802.11 WLAN connections. Malware or
invalid commands are sent to victim systems to lock or crash them and discover
weaknesses/vulnerabilities. Bluetooth fuzzers are also used by attackers to signal a
device’s Bluetooth radio and quickly stress or slow down the system.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 49 of 51

Topic 7: Summary

We have come to the end of Module 9. The key concepts covered in this module are
listed below.

 Wireless communication has become commonplace worldwide. In the
professional and personal space, people communicate with each other using a
wireless local area network (WLAN) for long-range distances across the globe,
and Bluetooth for short-range distances of up to 10 meters. Both these
technologies transmit data over radio frequencies.

 802.11 WLAN is today’s most widely used technology for data transfer. It has

been developed as a standard by the Institute of Electrical and Electronics
Engineers (IEEE) and has many variants. The 802.11g is the most widely used
standard, and the 802.11n is the most recently developed standard.

 Most WLANs transmit frequencies from a client’s network interface card (NIC) to

the destination access point (AP). However, some WLANs known as
independent basic service set (IBSS) networks do not use APs. APs transmit
data in beacon packets.

 The widespread usage of wireless networks makes them the target of many

hackers, who take advantage of the relatively weak access and encryption used
in these networks. WLANs use two main encryption protocols: Wired Equivalent
Privacy (WEP) and Wi-Fi Protected Access Protocol (WPA/WPA2).

 Hackers launch FMS and ChopChop attacks to break or bypass encryption keys
in order to access the beacon packets. They use active and passive scanners to
access and spy on APs.

 To protect WLANs from hacker thefts, network operators have the option of

cloaking the network and filtering the MAC addresses. However, both these
systems have inherent loopholes and cannot be considered foolproof.

 Bluetooth transmits data within wireless personal area networks (WPANs) of

Bluetooth-enabled gadgets, such as laptops, printers, cell phones, headsets,
tablets, wristwatches, and personal digital assistants. There are many types of
attacks that can be launched against devices using Bluetooth: bluesnarfing,
bluejacking, bluebugging, car whispering, and fuzzing.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 50 of 51

Glossary

Term Definition
Access Point An access point (AP) is a router/switch that connects a

wireless client to a wired network.
Address Resolution
Protocol

Address Resolution Protocol (ARP) is used to determine the
hardware address of a network host.

AES Advanced Encryption Standard (AES) is an encryption
method that replaces the old TKIP and is implemented in
WPA2.

Aircrack-NG Aircrack-NG is an 802.11 WEP and WPA-PSK key-cracking
tool that can recover keys if enough wireless data packets
have been collected.

Association Identifier An association identifier (AID) is the response sent by the
AP when the wireless client’s authentication process is
completed. The AID is then used by the client for further
communication with the AP.

Authenticator The authenticator is a switch or wireless access point that
acts as a proxy to relay a user’s credentials between the
supplicant and the authentication server.

Beacon Packets Beacon packets contain the SSID and are broadcasted by
APs periodically to advertise their presence.

Bluetooth Bluetooth is a wireless technology that uses short-range
radio frequencies to transfer voice and data across wireless
personal area networks. Well-known Bluetooth
vulnerabilities/attacks are bluejacking, bluebugging, car
whispering, and fuzzing.

ChopChop Attack A ChopChop attack enables hackers to decrypt a WEP
encrypted packet and discover a keystream.

DoS Denial of service (DoS) or distributed denial of service
(DDoS) attacks flood a target site with large volumes of
traffic using “zombie” servers. This flood of traffic consumes
all of the target site’s network or system resources and
denies access to legitimate users.

Extensible
Authentication Protocol

The Extensible Authentication Protocol (EAP) is an
authentication framework adopted by the wireless network
standards WPA and WPA2.

Gerix Wifi Cracker The Gerix Wifi Cracker provides a graphical interface for the
Aircrack-NG tool.

Independent Basic
Service Set

An independent basic service set (IBSS) is an ad hoc
network that contains no access points.

IEEE 802.11 Standard The IEEE (Institute of Electrical and Electronics Engineers)
standards for over-the-air modulation is defined by the
802.11 family.

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing
CSEC 640

© UMUC 2012 Page 51 of 51

Term Definition
Initialization Vectors An initialization vector (IV) is a fixed-size random input to a

cryptographic algorithm.
John the Ripper John the Ripper is a password-cracking tool.
Key A key is a special combination of data designed to encrypt

and decrypt information. See also public key, secret key,
and symmetric key.

Keystream A keystream is a stream of pseudorandom bits or bytes
used to encrypt a plaintext message or decrypt a ciphertext
message.

Kismet Kismet is a powerful wireless packet sniffer that identifies
networks by passive sniffing.

Media Access Control
Address

A Media Access Control (MAC) address is a unique
identifier assigned to network devices to ease
communication over the network.

Network Cloaking Network cloaking is a method of hiding the SSID of a
beacon packet so that only people who know the name of
the network will be able to find it.

RADIUS The RADIUS (Remote Authentication Dial-In User Service)
protocol provides centralized authentication, authorization
and accounting (AAA) management when a user wants to
connect to a network and use network resources.

RC4 Algorithm The RC4 algorithm is used to generate a pseudorandom
stream of bits known as a keystream.

Service Set Identifier A service set identifier (SSID) comprises a 32-bit
alphanumeric key unique to a wireless LAN.

TKIP TKIP (Temporal Key Integrity Protocol) is a replacement
encryption method for WEP.

Wired Equivalent
Privacy

The Wired Equivalent Privacy (WEP) is the first encryption
standard developed for wireless networks. The secret key it
generates is partly in plaintext, so WEP is considered a
flawed protocol.

Wireless Personal Area
Networks

Wireless Personal Area Networks (WPANs) are wireless
networks for interconnecting personal devices within 10
meters of each other.

WLAN A wireless local area network (WLAN) uses a wireless
distribution method to enable wireless devices to connect to
a wired network.

Wi-Fi Protected Access
Protocol

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access
2 (WPA2) are two wireless security protocol standards
developed by the Wi-Fi Alliance in response to
vulnerabilities found in WEP.

Still stressed with your coursework?
Get quality coursework help from an expert!