Basic Service Fix

Data Link Direction

Edward Insam PhD, BSc , in TCP/IP Embedded Internet Applications, 2003

Basic service sets (BSS)

The BSS is the basic building block of an IEEE 802.11 LAN. Each BSS area roughly corresponds to the coverage of a number of stations. A central concept of a BSS is that all stations must 'hear' each other, that is, be within radio or optical range. The association between stations is dynamic, stations can come up in and out or range or be switched off. To become a member of a BSS, each station must become associated to the network. These associations are dynamic and are managed and maintained past the use of a distribution system service (DSS). IEEE 802.11 architectures are integrated with others using portals. These are the points at which a not IEEE LAN connects to an IEEE 802.xi distribution system.

IBSS networks. An IBSS is a BSS that has no backbone infrastructure and consists of at least 2 wireless stations. This blazon of network is often referred to as an ad hoc network, because information technology can exist constructed quickly and without much planning. The advertising hoc wireless network will satisfy most needs of users occupying a pocket-sized surface area such as a single room, office or abode. This may include file transfer between two notebook users, a coworkers meeting outside the part, etc. The IEEE 802.xi standard addresses this need past the definition of an 'ad hoc' mode of functioning. In this case, at that place is no admission point, and part of its functionality is performed by the terminate-user stations (beacon generation, synchronization, etc.). Other access signal functions, such as frame-relaying between ii stations not in range, or power saving, are not supported.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780750657358500333

Wireless Networked Video

Anthony C. Caputo , in Digital Video Surveillance and Security, 2010

Access Point

An AP is a switch (Layer 2 Bridge) with 2 networking technologies: IEEE 802.three Ethernet on one side and IEEE 802.11 wireless on the other side. An AP is what provides wireless connectivity to distributed resources such equally a LAN, with printers and storage, and/or the Internet. The AP can just provide wireless access to those clients and/or stations securely associated with its encryption and authentication. Those clients/stations are oblivious to each other (unless designed to share resources on the network), and can merely communicate with the AP creating an access bespeak/station (AP/STA) mapping based on accessibility (meet Figure 5-2).

Figure 5-2. Wireless AP infrastructure topology.

Basic Service Set

A Basic Service Set up (BSS) forms an advert hoc self-contained network with station-to-station traffic flowing direct, receiving data transmitted past another station, and only filtering traffic based on the MAC address of the receiver (see Figure 5-3).

Effigy 5-3. Advertisement hoc self-contained network.

Extended Service Set up

The Extended Service Set (ESS) consists of one or more interconnected WLANs integrated into LANs that appear as a unmarried BSS to the logical link command layer. Whatsoever client/station can disassociate from one AP and associate to another AP, depending on traffic thresholds and signal forcefulness.

Service Set Identifier

The Service Set Identifier (SSID) is the WLAN "network name." Similar to how a wired computer must associate itself with a specific work group or agile directory domain, the wireless customer station must acquaintance itself with the SSID. Each network uses an SSID, a 32-octet string to separate i network from another for bandwidth, authentication, and security reasons. This limits client stations to associating just with APs with matching SSIDs, unless the client station is configured for SSID = Any or the airtight arrangement feature is turned off. Although this isn't part of the standard, it'south bachelor on nigh commercial APs and isn't recommended for security reasons. It's best to maintain command of who and what tin can sniff your network. Turning off the broadcasting of the SSID, so that no other client stations tin see it, is a skilful idea.

Beacons

Beacons are periodically sent from AP-to-client stations (in an infrastructure way) or station-to-station (ad hoc mode) to synchronize the communication between associated members. Beacons contain:

Time synchronization information (including beacon interval)

Channel information

SSID

Traffic indication map (TIM)

Beacons manage client stations in a coverage area of multiple APs with the same configuration criteria, assisting in expediting associations when roaming between APs.

Hidden Node

The hidden node consequence is an illusive wireless nuance that can be quite frustrating if in that location's no way to movement the physical location of each wireless device or tweak the request-to-send/clear-to-transport (RTS/CTS) function (see the next section Request-to-Send/Articulate-to-Send) to compensate for the jamming problem. The subconscious node dilemma happens primarily in wireless advert hoc networks where there are multiple nodes (client workstations) attempting to communicate with other nodes concurrently. The subconscious node is ignored conversely, every bit the other nodes are too decorated talking to each other to observe. For example, node A sends a indicate to node B, but node C doesn't detect it, so node C might too start sending to node B to try to go its attention. This creates a collision of messages at node B, corrupting and losing both messages. This happens about often in larger advertisement hoc networks and wireless mesh networks, where the problem can affect the functioning of the entire mesh.

Asking-to-Transport/Clear-to-Send

Part of the 802.11 standard and a solution (although some radios handle this better than others) to the hidden node issue is a MAC address level RTS/CTS, which adds a scrap of overhead simply avoids latency and dropped nodes.

The exchange of RTS/CTS data prior to the actual video frames is i means of managing all the nodes yelling at each other to get anybody's attention. A node (AP, client station, or mesh radio) receives the RTS and responds with a CTS frame. The node must receive a CTS frame, which contains a time value that alerts other stations to concord off from accessing the targeted node, while the node initiates the RTS transmission.

This RTS/CTS handshake provides control over how each node communicates with each another, keeping the signal active for streaming video. The master reason for implementing RTS/CTS is to minimize collisions among subconscious nodes. If there's no subconscious node problem, it's all-time to deactivate this function considering it adds overhead and may be detrimental to a system demanding high frames per 2d (fps) and bit rates.

Interference

RF interference is acquired by two or more radios, each on different wireless networks, using the same frequency. Interference can likewise be from 802.xi and non-802.11 devices, microwave ovens, Bluetooth, wireless telephones, radar signals, etc. To avoid interference there are other elements that need to be discovered when doing the wireless site survey (see Chapter vi). Table 5-1 shows examples of additional RF barriers.

Tabular array 5-1. Boosted RF Barriers

RF Barrier Clarification RF Severity Examples
Air Minimal Unless raining
Wood Low Partitions, wall studs
Plaster Depression Interior walls
Synthetic material Low Interior walls, plastic siding
Asbestos Depression Ceilings
Drinking glass Depression Windows
Water Medium Damp forest, aquarium
Bricks Medium Interior and exterior walls
Marble Medium Interior walls, floors, structures
Paper Medium Books on bookcases, files in file cabinets
Concrete, wire mesh High Floors, exterior walls
Chicken wire mesh High Bulletproof glass, security booths
Metallic High Desks, metal partitions, reinforced physical, automobiles, fire escapes

Interference tin can too be unintentional, equally each manufacturer has unlike numerical aqueduct assignments to select frequencies or overlapping frequencies. For instance, Brand A may have the aforementioned centre frequency as Brand B only on a different bandwidth frequency that overlaps the channel on Brand A. When working with other agencies and companies using the same RFs, information technology'south best to follow the frequencies instead of the channels.

Interference can also exist intentional and used to create denial-of-service attacks to bring downwards the WLAN. Remember, at that place's no control over who can use the unlicensed bands.

Direct sequence spread spectrum (DSSS) is ameliorate at resisting interference and noise, only with any RF technology, when there'due south interference throughput levels tin can drop down to zero bandwidth. A few nearby frequency hopping spread spectrum (FHSS) systems can cripple whatever FHSS or DSSS system, although a DSSS system continuously transmits on every frequency in the ring so the FHSS systems won't be able to discover a clear channel and consequently dethrone.

The FCC regulates the amount of power permitted past each band, licensed or unlicensed, but it doesn't monitor the number of transmitters a single source can use or how closely they can operate. For instance, if y'all're using the two.4-MHz ring for video surveillance solutions, then the signal can travel through walls. However, each transmitter used past each office in the entire building, coupled with any 2.4-GHz cordless phones still in operation, would create a elective fight for power with all transmitters playing dueling banjos. This situation would also create an inadvertent try to cripple the wireless band, which could exist done by anyone who wants to shut downwards the WLAN to shut downwardly the cameras. This is where directional antennas can aid by providing a more laser-focused signal that ignores interference better. This works improve than an omni-directional antenna that transmits in all directions.

Line of Sight

Line of sight (LOS) is defined as having a clear visual between the transmitter and receiver without any obstructions. Although microwaves behave similarly to light and sound waves, the higher the frequency, the more improvidence and refraction when traveling through solid objects or even rain and fog.

As with light and sound, best practice is to provide a clear LOS from transmitter to receiver with no RF racket in between. LOS becomes imperative the farther the indicate must travel. Depending on the elevation of the transmitter and receiver, RF tin can travel for miles; at eleven miles the curvature of the earth becomes an obstruction.

Fresnel Zone

The Fresnel (pronounced "FRE-NELL") zone occupies an ellipsoid expanse between the transmitter and receiver LOS. This zone is an important element in determining the best signal forcefulness, especially when select obstructions are visible within the LOS between the transmitter and receiver. Every bit depicted past Figure 5-4, lxx% of the very center of the LOS signal must be clear to prevent multipath interference and signal deterioration. The transmitter and receiver must be at the aforementioned height to provide optimal point strength, unless flat panel directional antennas are used to align the indicate (more on this in the later section Antennas).

Figure 5-4. Fresnel zone must be 70% clear for optimal performance.

The radius of the Fresnel zone, at its widest point, can be calculated using the following formula:

R = 43.3 × d / 4 f ,

where

d is the link distance in miles,

f is the frequency in GHz (e.g., 2.4 GHz, not 2400 MHz), and the answer

R is in anxiety.

An instance would exist a 2.iv-GHz link at 5 miles (8.35 km), resulting in a Fresnel zone of 31.25 anxiety (ix.52 m) at its widest point.

Quantification of obstacles inside the Fresnel zone is important to determine the amount of disruption they volition crusade (encounter Effigy 5-iv). Up to thirty%, or in some cases forty% depending on the type of obstacle, of the Fresnel zone can be blocked with little or no disruption. This has piddling bearing on the new 802.11n MIMO technology, which uses multipath interference to its advantage.

If tree growth or new structure blocks more 20% of the Fresnel zone, then raising the transmitter and receiver usually corrects the problem. In a mobile environs, such every bit indoors, the RF betoken bounces off and moves through many obstacles, then the Fresnel zone is constantly irresolute and users usually dismiss the poor signal strength as a "dead zone" or weak signal strength.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781856177474000056

Wireless Networked Video

Anthony C. Caputo , in Digital Video Surveillance and Security (2d Edition), 2014

Admission Points

An AP is a switch (Layer 2 span) with two networking technologies: IEEE 802.iii Ethernet on one side and IEEE 802.11 wireless on the other side. An AP is what provides wireless connectivity to distributed resources such as a LAN, with printers, storage, and/or Internet. The AP tin only provide wireless access to those clients and/or stations that are deeply associated with its encryption and hallmark. Those clients and stations are oblivious to each other (unless designed to share resource on the network), and they can merely communicate with the AP, creating an access point/station (AP/STA) mapping based on accessibility (see Effigy 5.2).

Effigy 5.two. Wireless AP infrastructure topology.

Contained Basic Service Ready (IBSS)

A Independent Basic Service Set (IBSS) forms an ad hoc, independent, cocky-contained network with station-to-station traffic flowing directly, receiving data transmitted past some other station, and just filtering traffic based on the MAC accost of the receiver (encounter Figure five.3).

FIGURE 5.three. An ad hoc self-independent network.

Extended Service Set (ESS)

The ESS consists of one or more than interconnected WLANs, integrated into LANs that appear as a single BSS to the logical link control layer. Any client or station tin disassociate from one AP and associate to another AP, depending on traffic thresholds and signal forcefulness.

Service Set Identifier (SSID)

The SSID is the WLAN "network name." Much the way a wired reckoner must associate itself with a specific workgroup or agile directory domain, the wireless customer station must associate itself with the SSID. Each network uses an SSID, a 32-octet string, to separate one network from another for bandwidth, authentication, and security reasons. This limits client stations to associating only with APs with matching SSID unless the client station is configured for SSID=ANY or the closed arrangement feature is turned off. Although this is not part of the standard, it is available on almost commercial APs and is not recommended for security reasons. It's best to maintain control of who and what can sniff your network. Turning off the dissemination of the SSID then that no other client stations can run into it is a good thought.

Beacons

Beacons are periodically sent from AP-to-client stations (in an infrastructure mode) or station-to-station (in ad hoc style) to synchronize the communication betwixt associated members. Beacons contain:

Time synchronization data (including beacon interval)

Channel data

SSID

Traffic Indication Map (TIM)

Beacons manage client stations in a coverage area of multiple APs with the same configuration criteria, profitable in expediting associations when roaming between APs.

Hidden Node

The hidden node upshot is an elusive wireless nuance that can be quite frustrating if there is no way to move the concrete location of each wireless device or tweak the RTS/CTS function (more on this later) to compensate for the jamming trouble. The hidden node dilemma happens in primarily wireless ad hoc networks, where multiple nodes (customer workstations) are attempting to communicate with other nodes concurrently. The hidden node is the node of the grouping that is ignored conversely, since the other nodes are too decorated talking to each other to notice.

For example, node A sends a signal to node B, merely node C doesn't notice that, so node C might also start sending to node B, trying to get its attention, just all that does is create a standoff of messages at node B, corrupting and losing letters from both A and C. This happens most oft in larger ad hoc networks and wireless mesh networks, where the problem can touch on the performance of the unabridged mesh. This issue is far more prevalent in wireless radios that follow the Wi-Fi standard, which requires interoperability with any Wi-Fi standard client device (computers, laptops, tablets, smartphones). A Wi-Fi standard access bespeak must be open up to inviting anyone into the network. This is where the half-duplex nature of radios becomes even more than exaggerated.

Wireless mesh networking radios that simply need to constitute connectivity between each other practise not demand to follow the Wi-Fi standard and meliorate security by creating another barrier to entry. You cannot connect into the mesh network without another mesh radio of the same manufacturer with the same encryption settings.

Request to Transport/Clear to Transport (RTS/CTS)

Part of the 802.11 standard and a solution to the subconscious node effect (although some radios handle this better than others) is a MAC address-level request to send/clear to send (RTS/CTS), which adds a bit of overhead only avoids latency and dropped nodes.

The substitution of RTS/CTS data prior to the actual video frames is one means of managing all the nodes yelling at each other to get everyone's attending. A node (admission betoken, customer station, or mesh radio) receives the RTS and responds with a CTS frame. The node must receive a CTS frame, which contains a fourth dimension value that alerts other stations to hold off from accessing the targeted node while the node initiates the RTS manual.

This RTS/CTS handshake provides control over the way the nodes will communicate with one some other, keeping the signal agile for streaming video. The main reason for implementing RTS/CTS is to minimize collisions among hidden nodes. If in that location is no hidden node trouble, information technology is best to deactivate this part, since it does add overhead and information technology may be detrimental to a system demanding loftier FPS and bit rates.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780124200425000058

Wireless Local Surface area Networks

Vijay K. Garg , in Wireless Communications & Networking, 2007

21.half dozen Joining an Existing Bones Service Set

The 802.eleven MAC sublayer is responsible for how a station assembly with an AP. When an 802.11 station enters the range of one or more APs, it chooses an AP to associate with (also known as joining a basic service set), based on signal forcefulness and observed package error rates. Once accepted past the AP, the station tunes to the radio channel to which the AP is ready. Periodically it surveys all 802.11 channels in order to admission whether a different AP would provide it with better performance characteristics. If it determines that this is the case, it reassociates with the new AP, tuning to the radio channel to which that AP is fix. Reassociating commonly occurs because the wireless station has physically moved abroad from the original AP, causing the signal to be weakened. In other cases, reassociating occurs due to changes in radio characteristics in the building, or due to high network traffic on the original A P. In the latter case this office is known every bit load balancing, since its master function is to distribute the total WLAN load most efficiently across the available wireless infrastructure.

The process of dynamically associating and reassociating with APs allows network managers to set up WLANs with very wide coverage by creating a series of overlapping 802.11b cells throughout a building or beyond a campus. To exist successful, the Information technology managing director ideally will employ channel reuse, taking intendance to gear up each admission betoken on an 802.eleven DSSS channel that does not overlap with a channel used by a neighboring AP (run into Figure 21.17).

Figure 21.17. DSSS channel without overlap with a channel used by neighbor AP.

As noted above, while in that location are 14 partially overlapping channels specified in 802.11 DSSS, there are simply 3 channels that practise non overlap at all and these are the best to use for multicell coverage (refer to Table 21.5). If two APs are in range of ane some other and are set to the same or partially overlapping channels, they may cause some interference for one another, thus lowering the total available bandwidth in the area of overlap.

When a station wishes to admission an existing basic service set, information technology needs to get synchronization information from the AP. The station tin can get this information in 1 of two ways:

Passive scanning: In this case the station waits to receive a beacon frame from the AP. The beacon frame is a frame sent out periodically by the AP containing synchronization information.

Active scanning: In this case the station tries to locate an AP by transmitting probe request frame, and waits for probe response from the AP.

A method is chosen according to the power consumption/operation tradeoff. Once the station has located an AP, and decides to join its basic service set, it goes through the hallmark process. This is the interchange of information between the AP and the station, where each side proves the knowledge of a given password. This is necessary considering WLANs accept limited physical security to foreclose unauthorized access. The goal of authentication is to provide access control equal to a wired LAN. The hallmark service provides a mechanism for i station to identify another station. Without this proof of identity, the station is non allowed to utilise the WLAN for information delivery. All 802.11 stations, whether they are part of an independent basic service gear up or extended service set (ESS) network, must use the hallmark process prior to communicating with another station. IEEE 802.11 uses authentication services defined in IEEE 802.11i.

Once the station is authenticated, it and then starts the association process. Information technology is used to brand a logical connection betwixt a mobile station and an AP and to commutation information well-nigh the station and basic service set/capabilities, which allows the distribution system service (DSS) to know most the current position of the station. This is necessary so that the AP can know where and how to deliver information to the mobile station. A station is allowed to transmit information frames through the AP only afterward the association process is completed.

When a station determines that the existing signal is poor, it begins scanning for another AP. This can exist washed past passively listening or actively probing each channel and waiting for a response. Once data has been received, the station selects the most appropriate signal and sends an association asking to the new AP. If the new AP sends an association response, the client connects to the new AP. This feature is known equally roaming and is similar to the cellular handover, with ii main differences:

On a packet-based LAN organization, the transition from jail cell to cell may exist performed between packet transmissions as opposed to a cellular organization where the transition may occur during a telephone conversation. This makes WLAN roaming a footling easier.

On a voice organisation, a temporary disconnection may non affect the chat, while in a packet-based data system it significantly reduces performance because retransmission is performed past the upper layer protocols.

The 802.11 standard does not define how roaming should exist performed, merely defines the basic tools including active/passive scanning, and a re-association process, in which a station roaming from one AP to another becomes associated with the new AP.

The 802.11 standard also provides a mechanism to remove a station from the basic service fix. The procedure is called de-authentication. De-authentication is used to prevent a previously authenticated station from using the network any further. In one case a station is de-authenticated, it is no longer able to access the WLAN without performing the hallmark process again. De-authentication is a notification and cannot be refused. When a station wishes to be removed from a basic service set, it can send a de-authentication management frame to the associated AP. An AP could likewise de-authenticate a station by sending a de-authentication frame to the station.

Read full affiliate

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9780123735805500557

Mobile and Wireless Networks

Dong-Wan Tcha , in Encyclopedia of Data Systems, 2003

Iii.B.1. Admission Network Role

A base of operations station system consists of a collection of equipment (transceivers, controllers, etc.), for communicating with MTs in a certain area. A BSS has i base station controller (BSC), and one or more base of operations transceiver stations (BTS) controlled by the BSC. A base transceiver station (BTS) is a network component that serves one cell. A base of operations station arrangement expands the so-chosen base station, in charge of a single cell in the early implementation stage, into a two-level bureaucracy covering multiple small cells.

Read total chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B012227240400112X

Compromising a Arrangement and Privilege Escalation

Thomas Wilhelm , in Professional person Penetration Testing, 2010

Wi-Fi Protected Access Assault

Wi-Fi Protected Access (WPA) is considered a stronger mode of authentication than Wired Equivalent Privacy (WEP). Strangely, WPA is quicker to crack than the weaker form of wireless encryption – WEP. WPA encryption forcefulness is only as strong as the WPA password – if the access point uses a weak countersign, a penetration tester can scissure it using a uncomplicated lexicon attack. To demonstrate how this is washed, nosotros outset need to start past configuring our attack organization to monitor all wireless traffic. Figure 12.17 is a startup script that volition create a virtual wireless connection that is placed into monitor style.

Effigy 12.17. Wireless Script to Establish and Place ATH1 in Monitor Mode

Later we run the script using the command ./ath1_prom start, nosotros can check to run into if the listening device is properly configured by issuing the iwconfig command. If we look at Figure 12.eighteen, we can run across that the listening device ath1 is set to Way:Monitor. At this signal, we tin begin to sniff the airwaves for wireless advice.

Figure 12.18. ATH1 in Monitor Mode

There are many ways to see what admission points are nearby, including using the airodump-ng tool. The critical information to obtain from any browse for wireless admission points includes as follows:

Basic Service Set Identifier (BSSID): This is the MAC accost for the wireless access point.

Extended Service Gear up Identifier (ESSID): This is the name of the wireless network.

Station (client) MAC addresses: In some cases, it may be necessary to assail the customer, such as in deauthentication attacks.

Note

As an interesting side note, I tried to take a screenshot of the airodump-ng tool identifying just my lab's wireless access point. The problem I ran into is that wireless access points are everywhere. Even relocating my access point to a geographically disparate location, I could not find any place that did not have numerous wireless routers offer connections. I decided to non include a screenshot because I didn't feel it ethical to post a screenshot of other people's home admission signal (some of the names for the access points are humorous, and others are profane). Information technology seems that in today'due south environment, wireless has go pervasive and is difficult to avert.

One time we make up one's mind on a target, we can first capturing data. Figure 12.nineteen is the command we volition use to begin packet capturing; the command volition expect for only those access points broadcasting on channel 8, which has a BSSID of 00:1A:70:47:00:2F. These settings are specific to the lab access indicate and will change depending on our target. We also requested that airodump-ng capture all data, and storing them in the /tmp directory.

FIGURE 12.nineteen. Launching Airodump

Figure 12.20 shows airodump-ng in progress, collecting wireless data packets. When we attack WPA, nosotros don't actually care about virtually of the normal traffic between the access point and the authorized user'south organization. The only information we are interested in is the initial WPA handshake betwixt the two devices, which authenticates the user'southward system with the access bespeak. Authentication for WPA uses preshared keys, which is either 64 hexadecimal digits or a passphrase of 8 to 63 printable ASCII characters.

Figure 12.20. Airodump Notification of WPA Handshake Capture

To capture the handshake, nosotros accept to expect for someone to connect to the access point. Systems already connected do not generate the handshake we need, and waiting for someone to connect may take likewise long. Still, some other program – aireplay-ng – has the capability to deauthenticate connected clients from a target access betoken, requiring the clients to reconnect and reauthenticate using the WPA handshake. In our test lab, nosotros will simply connect our second laptop as soon equally we know that airodump-ng is listening. One time we deauthenticate the connected client, airodump-ng should be able to isolate and save the encrypted preshared key.

Figure 12.20 indicates that a WPA handshake has indeed been captured, based on the observe on the far correct of the top line: WPA Handshake: 00:1A:70:47:00:2F. We can then utilise a dictionary set on against the encrypted key. One interesting point is that only 56 s has elapsed betwixt the time we launched the airodump-ng attack and when the WPA handshake was captured.

In Figure 12.21, nosotros will use the aircrack-ng programme to decipher our captured WPA encrypted fundamental. To launch aircrack-ng, we demand to provide the location of the capture file and a dictionary. Although there are some dictionary files on BackTrack, they are not very useful in wireless attacks because they include words that are too pocket-sized to be valid WPA keys.

FIGURE 12.21. Launching Aircrack-ng

If password decryption is a significant portion of our penetration test attempt, nosotros will need to create our own dictionary file. If we focus on WPA attacks, and because nosotros know that passphrases take to be a minimum of eight characters, we can brainstorm creating our own lexicon by only using words that are at to the lowest degree that long. We could filter on a dictionary that we already have and create a new file with words that are eight characters. A good source on manipulating data from a file to reach our goals is the Linux cookbook, found at http://dsl.org/cookbook/cookbook_18.html#SEC266.

Notes from the Cloak-and-dagger…

Languages

Deciding which linguistic communication to include in a dictionary attack is difficult. Although English has been used as a common language in computer programming, dictionary attacks demand to target the language of the authorized users. Because companies tin can have employees from all over the world connecting to the internal servers, information technology is becoming more difficult to know exactly what languages to include likewise English.

One disadvantage with aircrack-ng is that information technology does not have the capability to mutate words in dictionaries. Mutating is the process of modifying a give-and-take using different spellings. A mutation example using the word "hacking" could include: Hacking, HACKING, [e-mail protected], [email protected], and even |-|@c|<1|\|yard.

Because aircrack-ng does not mutate wordlists, the penetration tester must mutate words beforehand. There are other password cracking programs available on the market that will mutate dictionary entries, increasing the chance of deciphering WPA keys. However, aircrack-ng is quite powerful, and wordlists containing mutations volition be useful in other applications too.

Figure 12.22 is a screenshot of aircrack-ng successfully deciphering the HeorotLab access point WPA shared-key, which is "Complexity" (the key is case-sensitive). At this point, we can connect to the access indicate and brainstorm enumerating the network and all continued systems.

FIGURE 12.22. Aircrack Successfully Identifying WPA Cardinal

If the HeorotLab admission betoken had been connected to a corporate network intended for employees, we would have elevated our privileges within the network. Even though we should non accept had access, nosotros can examine the network equally a normal user.

If the WPA shared-key passphrase had been complex, our power to penetrate the network would most likely have been unsuccessful. To crack a WPA central, nosotros have to take a dictionary file that contains the verbal passphrase. Because the passphrase can be between 8 and 63 printable ASCII characters, passphrases tin can be quite big – trying to include all possible combinations in a word file is simply not applied.

Figure 12.22 also indicates that our deciphering assail was cursory – almost instantaneous. The dictionary file used for this example was very small, containing but a few words (it is used to demonstrate wireless attacks and isn't used in real-world penetration tests). However, aircrack-ng can compare thousands of words to the captured key in a matter of a few minutes, making WPA cracking very quick.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597494250000178

Using Human being-in-the-Middle Attacks to Your Advantage

Chris Hurley , ... Brian Bakery , in WarDriving and Wireless Penetration Testing, 2007

Identify the Target

To gather preliminary information on the target, yous demand to get back to WarDriving nuts and gain as much information about the target as yous tin can. Using our WarDriving setup, practice a preliminary WarDrive of the site campus. The goal is to locate one or more APs with wireless clients already associated, and to identify any security controls, encryption, and/or authentication mechanisms that are in place.

Using Kismet and an omni-directional antenna, locate a target AP with wireless clients connected. During WarDrive, an admission point was identified with the following information:

Target Network Service Fix Identifier (SSID): VisitorLAN

Target Network Basic Service Set Identifier (BSSID): 00:13:10:1E:65:42

Wireless Client Connected: 00:02:2D:2D:82:36

The Target Network Encryption: WEP

The Target Network IP Range: 192.168.1.0/24

You have identified a target access point; however, to perform your MITM set on y'all need to connect to the access signal, and to do this y'all demand to compromise the WEP key.

Compromising the Target

At this point, y'all can use the information you gathered during the WarDrive to help compromise the target access indicate's WEP key. To crack the WEP central, you need to know the BSSID of the access point and the Media Access Control (MAC) address of a wireless customer already connected. Using the Aircrack-ng tools, you can begin the attack against the VisitorLAN access point.

NOTE

Aircrack is an 802.11 WEP and WiFi Protected Access-Pre-Shared Fundamental (WPA-PSK) key not bad program that can recover keys in one case enough information packets have been captured. Aircrack-ng is the next generation of Aircrack and contains a lot of new features.

To employ Aireplay-ng with Host AP, you lot need to install the Host AP kernel patch so that the Address Resolution Protocol (ARP)-request replay will work properly. Yous tin obtain information about Aircrack-ng from http://www.aircrack-ng.org.

The commencement stride in your WEP-cracking process using the Aircrack-ng suite is to start airodump-ng to collect WEP initialization vectors (IVs) and relieve them to an output file. To start airodump-ng on the wlan0 interface and capture whatsoever IVs chosen visitorlan-01 .cap to an output file, use the following command:

airodump-ng -w visitorlan-c 6 wlan0

Once airodump-ng is running, open up a new terminal and starting time aireplay-ng with the following command:

With airodump-ng and aireplay-ng running, you need the wireless client to disconnect and reconnect to the target access signal, which will generate an ARP request. Using the ARP request Replay option, aireplay-ng will capture and replay an ARP request targeted at the access betoken to create traffic and IVs. To use void11 to accomplish the deauthentication of the wireless client use the following control:

As shown in Figure ix.6, aireplay-ng is using the ARP asking Replay option to capture and replay client ARP requests.

Effigy ix.half dozen. Aireplay-ng Running

Using the aircrack-ng visitorlan-01.cap control, attempt to crevice the WEP key using aircrack-ng and the visitorlan-01.capture file generated by airodump-ng (come across Figure 9.7).

Figure 9.7. Aircrack-ng Cracked the WEP Fundamental

At present you lot have all of the information required to connect to the target admission point and begin your MITM assail.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491112500349

Wireless Penetration Testing Using a Bootable Linux Distribution

Chris Hurley , ... Brian Baker , in WarDriving and Wireless Penetration Testing, 2007

Kismet

Kismet is probably the nearly versatile and comprehensive WLAN scanner. Similar Wellenreiter, Kismet is a passive WLAN scanner that detects the networks that are broadcasting the SSID. Kismet is started in much the same way equally Wellenreiter. Select Auditor | Wireless | Scanner/Analyzer | Kismet Tools | Kismet (Wireless Scanner). A window opens prompting you for a data directory where your Kismet results will be saved. Select a location and printing OK and then confirm the directory by pressing Yes. Next, you are prompted to provide a prefix that will be added to the Kismet files as they are saved. After entering the prefix, click OK and Kismet will start. Unlike Wellenreiter, Kismet is a text-based awarding that begins collecting data as soon as it is started (see Figure 7.7).

Figure vii.vii. Kismet Interface

Kismet has a wide range of sorting and viewing options. Sort options tin can be selected by pressing the s central (come across Figure 7.8).

Figure 7.8. Kismet Sort Options

The default sorting view is Auto-Fit. To change the sort view, blazon s to bring up the sort options. Networks tin be sorted by:

The time they were discovered (first to final or terminal to first)

The MAC address Basic Service Fix Identifier (BSSID)

The network proper name (SSID)

The number of packets that have been discovered

Betoken strength

The channel they are broadcasting on

The encryption type (WEP or No WEP)

After choosing a sort view, information on specific access points can be viewed. Use the pointer keys to highlight a network and then press ENTER to get information on the network (encounter Figure 7.9).

Figure 7.9. Specific Network

Kismet creates vii log files by default:

Cisco (.cisco)

Comma Separated Value (.csv)

Packet Dump (.dump)

GPS Coordinates (.gps)

Network (.network)

Weak IVs (.weak)

Extensible Mark Up Language (.xml)

The range of log files created past Kismet allows penetration testers to manipulate the data in many unlike means (scripts, importing to other applications, and and so along).

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597491112500325

Low tech wireless hacking

Jack Wiles , ... Sean Lowther , in Low Tech Hacking, 2012

Advertisement hoc, ad finem

Independent bones service sets (IBSS) and ad hoc networks

Low Tech Level two

Staying in the vein of peer attacks, let'due south look at the hacking potential with advertisement hoc networks. Ad hoc is defined as formed or used for specific or immediate problems or needs, followed with fashioned from whatever is immediately available: improvised . 4 In terms of 802.xi, an ad hoc network is an independent basic service prepare (IBSS), which just means there is no AP.

Without an AP, everything connected in an ad hoc network is a peer; at that place's no main and therefore no ane to regulate the chaos. Because of this, advertisement hocs are dangerous networks to take floating in an enterprise. You don't know who's continued to whom, what they're accessing, and y'all tin't see or control the traffic or admission. These unhampered connections crusade less heartburn in homes and dwelling house offices where users are looking for the convenience of connectivity without the hassle of architecting a true network.

I've given this scenario a Low Tech Level ii considering it can be performed with a variety of wireless devices and but requires a small-scale configuration change to implement. An advert hoc network gives a hacker hush-hush access to its peers, allowing the same type of attacks seen in the previous peer-to-peer hacks.

In that location are some obvious limitations to exploiting an ad hoc network, since a hacker would need to go close to your other wireless clients, as the antennas in laptops aren't as strong as those in APs. The warning to listen here: this attack is a great approach for an insider attack. The data he or she acquires, either wirelessly or via a wired span, is virtually untraceable. Your switches, routers, firewalls, IDS/IPS, and data leakage prevention (DLP) tools at the gateway will not meet data stolen in this manner.

Organizations, peculiarly larger ones, are strongly encouraged to use a diversity of tools to protect confronting these types of attacks and possible data theft. Settings on laptops and forced configurations through grouping policy or endpoint security tools can prevent endpoints from participating in ad hoc networks. In addition, the protocol analyzer or WIPS can be used to wait for IBSS traffic, which would alert you to an advertising hoc network in the surround.

Tip

Acronym descramble: SSID, ESSID, BSS, IBSS. Here's how to decode the various acronyms used in 802.11 wireless.

SSID (Service Gear up Identifier)

The wireless network proper noun. It should exist unique to each AP and can/should be used on multiple APs if users are roaming between APs. The SSID is what shows up in the wireless network list on your laptop.

BSS (Bones Service Gear up)

A term used to describe basic 802.11 services and the standard way for enterprises; wireless connectivity using an AP and stations. The AP controls the stations in its BSS. Think of each AP every bit a BSS.

IBSS (Independent Basic Service Set)

An advert hoc network with no APs, just stations that communicate directly to one another as peers.

ESS (Extended Service Set)

The set of interconnected BSSs with the same SSID (network name). When yous add the same SSID to all APs in a building, they have the same SSID (network proper name) but are physically located on different access devices (BSS). The SSID that's extended across those APs is function of an ESS.

BSSID (Basic Service Set Identifier)

Unique ID for each BSS, includes the MAC address of the AP. In ad hoc (IBSS) networks, BSSIDs are per peer devices and are made-up MAC addresses based on a random number.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597496650000046

Multiple Access: Wireless Networks

Anurag Kumar , ... Joy Kuri , in Communication Networking, 2004

viii.half dozen.1 The IEEE 802.11 Standards

Figure 8.25 shows the typical architecture in which users access a wired network, and services on the network, over an IEEE 802.xi wireless LAN. Each mobile device or mobile station (MS), shown as laptop computers in the figure, associates itself with i of the access points (APs). The APs are attached to the wired LAN and could really be fixed to a wall. An AP, together with its associated MSs, constitutes a basic services set (BSS). 1 The various BSSs are schematically shown to overlap, indicating that the areas "covered" by the various APs overlap this permits the movement of MSs over large distances inside a building as long as they stay within the range of some AP. In that location is an clan and disassociation protocol that facilitates such motility of MSs betwixt BSSs. A collection of several interconnected BSSs is called an extended services fix (ESS); Figure 8.25 shows an ESS with several BSSs interconnected by a LAN switch.

Figure 8.25. A typical IEEE 802.11 ESS architecture.

The desktop Ethernet access speed of 100 Mbps is now very common. Hence, for wireless access to replace Ethernet equally a manner to access the wired network, there have been several efforts to provide increasingly college physical layer bit rates in the IEEE 802.11 series of standards. Three major concrete layer standards have been divers. The following is a chronological list and brief description of the physical layers.

802.11b operates in the ii.4 GHz unlicensed band and provides the bit rates 1, 2, five.5, and xi Mbps. Two forms of direct sequence spread spectrum (DSSS) modulation are used to accomplish these four data rates. In the allowed spectrum in the ii.4 GHz band, at that place are 14 overlapping channels, each with a bandwidth of five MHz. Each BSS operates, at whatever point in time, on one of these channels. Overlapping BSSs must use nonoverlapping channels.

802.11a operates in the five GHz unlicensed band and provides the bit rates 6, ix, 12, 18, 24, 36, 48, and 54 Mbps. Each BSS operates in a 20 MHz spectrum in the 5 GHz band. This spectrum is further divided into 30 carriers, which are modulated with the data using OFDM technology (encounter Department 8.ane.iv).

802.11g operates in the 2.4 GHz unlicensed band and provides speeds upwardly to 54 Mbps.

Detect that each of these physical layer standards provides for several scrap rates. These rates are obtained by various combinations of coding and modulation schemes, and each of them requires a certain minimum SNR to operate satisfactorily. Recalling our word in Section 8.four, annotation that this feature of the concrete layers provides scope for the design of channel state adaptive techniques. If a transmitter–receiver pair determines that the point quality between them is poor, then they can hold to use a more than robust modulation scheme with a lower chip rate.

In add-on to the physical layer standards mentioned here and multiple access command (described in the adjacent department), the IEEE 802.eleven series of standards covers issues such as security, as well equally country-specific concerns regarding utilization of the unlicensed bands and coordination with other communication technologies that use the unlicensed radio spectrum. Nosotros do not discuss these details further in this book.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124287518500082