CHAPTER gives potential attackers easy transport medium access. This

                                                            CHAPTER ONE


We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Wireless LAN technology has rapidly become very
popular all over the world. The wireless local area network (WLAN) protocol,
IEEE 802.11, and associated technologies enable secure access to a network
infrastructure. Until the development of WLAN, the network client needed to be
physically connected to the network by using some kind of wiring. With the
rapid increase in use of WLAN technology it is important to provide a secure
communication over wireless network. Since its creation the security of
wireless networks went through different stages of development, from MAC address
filtering or WEP to WPA/WPA2 (Ruchir Bhatnagar et al, 2015).

Wireless networks have
significantly impacted the world. Through the use of them, information could be
sent easily and quickly without the use of any wire. Wireless networks provide
all the functionality of wired networks without the physical constraints, and
configurations range from simple peer-to-peer to complex networks offering distributed
data connectivity and roaming. They also allow end-user mobility within a
networked environment and enable physical network portability which allows LANs
to move with users that make use of them. Furthermore, wireless networks can be
used to connect to the internet in countries and regions where the telecom
infrastructure is poor
2007). Wireless security
requires slightly different thinking from wired security because it gives
potential attackers easy transport medium access. This access significantly increases
the threat that any security architecture must address (Arbaugh 2003).

Data transmission on
wireless networks is inherently less secure compared to wired networks
regarding the physical media, because anyone nearby could sniff the traffic
easily. Wireless LANs can use open authentication, such as free Wi-Fi hotspots
do, and in this case no authentication is required from the clients and the
traffic is not encrypted, making open networks totally insecure.

Two security protocols that provide
authentication and encryption to wireless LANs have been developed over the
time: Wired Equivalent Privacy (WEP),
Wireless Captive Portals,
and Wi-Fi Protected Access (WPA/WPA2-Personal,
WPA-2 Enterprise).
WEP and WPA/WPA2 authentication protocols and their relative cracking
techniques will be discussed
later in the subsequent chapters in this project work.

Although there are many methods of security
assessment, such as audit trails and template applications, the only way to
truly know how secure a wireless network is by testing it. “Wireless
Penetration testing is the process of attempting to gain access to resources
without knowledge of usernames, passwords and other normal means of access”
(Stephen 2006). The main objective of penetration testing is to
identify all the exploits and vulnerabilities that exist within an
organization’s IT infrastructure and to confirm the effectiveness of the
security measures that have been implemented. Furthermore, it helps to identify
what is the information that is exposed to the public or the Internet world,
giving a bird-eye perspective on current security. More importantly, penetration
testing provides a blueprint for remediation in order to start or enhance a comprehensive
information protection strategy (ISS, 2008).

In order to deploy a successfully penetration test,
the penetration testing has to be designed to model real world scenario as
closely as possible. Attack scenarios can be up to best closely model all
possible situations. Thus, the main thing that separates a penetration tester
from an attacker is permission. While most other auditing tends to touch the
surface of security, penetration testing is the most effective method as it is “proof
of concept” that the measures taken to secure the network are not effective
(Stephen 2006).

Phases of Penetration

The process
of penetration testing can be divided into four main phases or stages, which are as





A scheme of the four phases penetration testing methodology
is represented in the following diagram:





                                        Figure 1: Four phases of Penetration Testing

We are now going to explore each of the four phases.

The Planning phase

The planning phase is a crucial part of penetration
testing, though it is not always given the importance that it should have. In
this phase, we define the scope and the so-called rules of engagement
of a penetration test, as a result of an agreement between the penetration
testers and the client that will be formalized in a contract between the two
parties. It must be clear that a penetration tester should never operate
without a contract or outside the scope and the rules of engagement established
in the contract, because otherwise he/she could stumble into serious legal
troubles. The scope is about which networks to test and the goals and
objectives the client wants to achieve with the penetration test. In this, we
need to consider, for example, the area to scan for wireless networks, the
coverage range of the signal of the networks to test, and their size in terms
of the number of clients that will supposedly be connected. We also define the
objectives of the test, such as specific vulnerabilities that should be
assessed and their priorities; whether rogue and hidden access points should be
enumerated and whether wireless attacks against clients should be conducted.  The rules of engagement include, among others,
the estimated timeline and the days and times when to perform the test, the
legal authorization from the client, the format of the report to produce,
payment terms, and a nondisclosure agreement clause, according to which the
results of the test are kept confidential by the testers.

Once the scope and rules of engagement are
established, the penetration testing team defines the resources and the tools
to employ for test execution.

The Discovery phase

In the discovery phase, we collect as much information
as possible about the networks that are in the scope of the penetration test.
This phase is also called the information gathering phase and it is very
important because it precisely defines the targets of our test and allows to
collect detailed information about them and to expose their potential

particular, for our scope, we would collect information such as:

networks and rogue access points

connected to the networks

type of authentication used by the networks; we would like to find out
networks, which are open or use WEP, and therefore, are vulnerable

area outside of the organization’s perimeter reachable by wireless signals


The discovery phase could be realized through two main
types of wireless network scanning, active and passive. Active
scanning implies sending out probe request packets to identify visible access
points, while passive scanning means capturing and analysing all wireless
traffic and also allowing to uncover hidden access points.

The Attack phase

The attack phase is the most practical part of the
penetration testing process, where we try to exploit the vulnerabilities
identified in the discovery phase to gain access to the target networks.

This is called the exploitation sub phase and
in our case could involve attempting to crack authentication keys to connect to
the network, setting up rogue and honeypot access points and directly attacking
clients to recover the keys. The next stage (if required in the contract) is
referred to as post-exploitation and involves attacking the network and
the infrastructure after we have gained access to it, for example, taking
control of the access points and performing man-in-the-middle attacks against
the clients.

It is worth repeating that we should never conduct
attacks that are not explicitly required in the contract. Moreover, the attack
phase should be performed according to the terms and modalities established
with the client, defined in the rules of engagement. For example, if the
targets are production systems or networks, we could agree with the client to
conduct such attacks outside the working hours, as wireless connectivity and
the services provided may be disrupted.

The Reporting phase

Reporting is the final phase of penetration testing.
The previous phases are very important because they are where we plan and
execute the test but it is still important to communicate its results and
findings in an effective manner to the client. The report is useful as a
reference point for defining countermeasures and mitigation activities to
address the identified vulnerabilities. It is usually formed by two major
sections, the executive summary and the technical report.

Security Mechanisms used
in Wireless Local Area Networks

(1) SSID Hiding

stands for Service Set Identifier.
In other terms, it is the basically the name of the network and in this
instance- the name of the Wireless Access Point (WAP). SSID Hiding is a configuration where the access point does not
broadcast its SSID in Beacon frames. Thus, only clients that know the SSID of
the access point can connect to it. However, while
this might look secure, it is in fact not secure as it is what is known as
“Security through Obscurity”. The method to uncover hidden SSIDs will be
discussed later in this project.