Eavesdropping Attack Over Wi-Fi: Course: Security and Privacy On The Internet

Eavesdropping attack over Wi-Fi
Course: Security and Privacy on the Internet
Instructor: Dr. A.K. Aggarwal
Presented By:
Fadi Farhat
Fall, 2007
1 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal
Table of Contents
Part I: Paper presentation
1. Define Eavesdropping.
2. Difference between Eavesdropping over wired networks
& Eavesdropping over wireless networks.
3. What we need to eavesdrop?
4. Legality of eavesdropping devices.

5. What makes Wi-Fi susceptible to be compromised?
6. How to Secure Wi-Fi Networks?

7. Wi-Fi Special attacks.
8. How to detect eavesdropping over Wi-Fi?
Table of Contents
Part II: Project presentation
Introduction
1. Experiment Architecture and Scenarios
2. Hosts Installations and Configuration
3. Tuning CommView sniffer for experiment
4. Conducting the Experiment
4.1. Spying on HTTP (Web Pages)
4.2. Spying on FTP (Downloading files)
4.3. Spying on SMTP (Emails)
5. IDS Promisacn 3.0
6. References
7. Lab Experiment with ?????
Part I
Paper presentation
Eavesdropping
 Eavesdropping is the process of gathering

information from a network by snooping on
transmitted data.
 To eavesdrop is to secretly overhear a private

conversation over a confidential communication
in a not legally authorized way.
 The information remains intact, but its privacy is

compromised.
Eavesdropping over
wired & wireless networks
Eavesdropping over wired networks
 Over wired networks eavesdropping is more
difficult
 It needs the eavesdropper to tap the
network, using a network tap which is a
hardware device that provides a way to access
the data flowing across the network.
 Can’t be achieved unless the eavesdropper
can be in touch with the wire of the network
which is difficult sometimes and impossible the
other times.
Eavesdropping over
wired & wireless networks
Eavesdropping over wireless networks

 Easier to be achieved (no compromised dangerous).
You need
 A computer with wireless network adapter working on
promiscuous mode
 To be in the area of the wireless network coverage
 To have one of the particular software tools that allows

the eavesdropping over Wi-Fi. Commercial name for the 802.11 products.
What we need to eavesdrop?
1. Hardware tools
 Network adapter supporting promiscuous

mode (to intercept and read each network
packet especially those of other network
address). Ex: Prism 2, 2.5 and 3.
 High-power antennas can be used to

provide intercepting wireless traffic from
miles away.
What we need to eavesdrop?
2. Software tools
 Any Wireless Packet Sniffer can be used
 Widely available for sale and even free over the Internet
Ex:
Network Stumbler, Hitchhiker, Aircrack-ng,
Wireshark, Kisemet, Commview, Javvin packet
analyzer, Wildpackets, Network monitor, Wireless
monitor
Legality of eavesdropping devices
 Be aware of the legal issues before you buy
eavesdropping devices.
 It is a crime in most countries to eavesdrop

on someone’s privacy
 But as network administrators need to

analyze traffic on their networks (debug
networks, find illegitimately installed access
points) they may need eavesdropping
devices.
What makes Wi-Fi susceptible to be
compromised
 Most of the network adapters used around

the world are unsecured and open to
unauthorized use
 Many individuals’ and businesses don't

understand how to secure a wireless
network
 Many Wi-Fi products come ready-to-use

right out of the box.
Securing Wi-Fi Networks?
 The only available way to fight eavesdropping is

the encryption.
 But even using the encryption technique will not

prevent capturing the data in its encrypted form.
How to Secure Wi-Fi Networks?
Simple Steps to Secure Wi-Fi Network
1. Change the Administrative Password on

your Wireless Routers.
2. Installing a Firewall.
3. Change the Default SSID Name and Turn
off SSID Broadcasting.
4. Disable DHCP.
5. Replace WEP with WPA.
1. Change the Administrative Password
on your Wireless Routers.
 Routers came with default password to

provide easy access.
 Changing those passwords is one of the

first recommended steps to do.
 Default passwords are posted on the

vendor support sites.
2. Installing a Firewall.
 A firewall is the fence of your network

from any unauthorized accessing
 Can help in the protection of your PC by

blocking or allowing the pass to your
network.
3. Change the Default SSID Name and
Turn off SSID Broadcasting.
 In Wi-Fi a service set identifier (SSID) is a code
attached to all packets on a wireless network to
identify each packet as a part of the network.
 Changing SSID will necessitate the wireless

client computers to enter the name of the SSID
by hand before they can connect to the network.
 But even though and because the data packets

that are transmitted will include the SSID it
may be discovered.
4. Disable DHCP
 Disable the “Dynamic Host Configuration

Protocol”
 Assign IP addresses to the client

computers manually to restrict the access
to the router to specific MAC addresses.
5. Replace WEP with WPA
 WEP “Wired Equivalent Privacy” is a security protocol,

encrypting data transmitted over the wireless computer
network to provide security and privacy, and to protect the
vulnerable wireless link between clients and access points.
 But as WEP is weak and can be cracked in about 3

minutes as the FBI showed in 2005 using some freely
access tools, WPA “Wi-Fi Protected Access” which is more
powerful using 128-bit encryption keys and dynamic
session keys, must replace it to provide strong data
protection.
Wi-Fi Special attacks
Man-In-The-Middle Attack is one of the attacks
that can’t be applied to wired networks, it’s just
applicable to Wi-Fi.
 Hackers can configure a rogue AP to imitate a

legitimate AP.
 Once the client is connected to the rogue AP, the

hacker can perform any attack that involves
modifying the packet stream.
 Emails can be read, phishing attacks can be

implemented etc...
How to detect eavesdropping over Wi-Fi
 Some Wi-Fi equipment makers have added

more security measures like
 Intrusion detection uses position location

technology to detect the presence of a
malicious station in order to track down the
offending station and remove it.
 Sniffing node detection tool to detect the

Promiscuous Nodes. Ex: PromiScan.
Part II
Project presentation
Introduction
 In this project, I simulate an easy, yet

important, eavesdropping wireless attack.
 Unsecured wireless sessions can be

target for eavesdropping attackers.
 Serious confidential and personal data

can be captured, analyzed and even re-
transmitted on one’s behalf.
Experiment Architecture and Scenarios
Experiment Architecture
NetGear Wireless router
Victim Laptop
Toshiba Windows XP
Ethernet Intranet
Intranet Server
Windows Server 2000
Victim Machine (Web, Mail, FTP services)
Intruder
HP Laptop
Windows XP
CommView for WiFi
Intruder Machine
Experiment Architecture and Scenarios
Experiment Scenarios
The intruder (an upset student) will try to listen to

the data flow to/from the victim (his professor)
and capture important information about him.
 Spying on HTTP (Web Pages)
 Spying on FTP (Downloading files)
 Spying on SMTP (Emails)
Hosts Installations and Configuration
Configuration of Victim Machine
Configuring Outlook Express email client
Toshiba Laptop
CPU: Centrino 1.7 Ghz
Memory: 1 GB
Hard Disk: 80 GB
Operating System: Windows XP professional
IP Address: 192.168.1.2
Configuration of Host Intruder Machine (Laptop)
Installing CommView for Wi-Fi
HP Laptop
CPU: Centrino 1.7 GHz
Memory: 512M
Hard Disk: 60 GB
Operating System: Windows XP professional
IP Address: NO IP ADDRESS
CommView For Wi-Fi (packet sniffer and generator)
Configuration of Host Intranet Server
Installing IIS, SMTP and FTP

Configuring IIS, SMTP, FTP
IBM server
CPU: Xeon 3.00 GHz
Memory: 256 MB
Hard Disk: 80 G
Operating System: Windows 2000 Advanced Server (Ser)
IP Address: 192.168.1.100
Application: MS-IIS web server, SMTP Relay service, FTP service.
Note: For assist limitation: This server is implemented using VMware ver 4.0. A
virtual machine application that runs on top of the installed operating system. I
had to use it because the installed OS (windows XP) doesn’t support web
services (IIS, SMTP, FTP).
100 Mbps UTP connection to Access point
ON windows 2000 server, start->setting -> control panel
Add/Remove program, Add/Remove windows Components
Check the checkbox of IIS services
For the HTML, add the file called default.htm to the folder
c:\inetpub\wwwroot.
For SMTP, configure mail server domain name.
start programs administrative tools  Internet Services
Manager. Click on SMTP. Right click on domain. Click Add
new domain and type uwindsor.ca.
FTP needs no configuration. Just need to add some file to the

ftproot folder. These files will be downloaded by clients.
Configuration of Access point Router
SSID
IP address
DHCP service
Channel ID
Brand Name: Netgear 54 wireless router XG614v7
SSID name: Stay Away
Channel ID: 2
4 ports UTP switch (Intranet server is connected via)
Operating System: Windows 2000 Advanced Server (Ser)
IP Address: 192.168.1.1
Acts as a router between the wireless network and the intranet network as
shown in figure 1
Configuration of
Access point
Router
Configure Netgear
using HTTP
browser typing
HTTP://192.168
.1.1
Type the name in

the SSID name.
In the channel field,

select the
channel.
Make sure the

security field is
“none”.
Configuration
of Access
point Router
Configure the IP
address and
the DHCP of
the AP
Tuning CommView sniffer for experiment
Starting CommView for Wi-Fi,
Click on File menu then select start capture.
Configure the channel number
To limit the search
Configure IP aliases to simplify the analysis of the captured
packets by showing the alias name instead of IP address.
click on Settings IP aliases, Type in the IP address of each

host involved in the scenario
Configuring CommView Rules (Filters)
 Click on Rules tab
 Enable IP address rules
 Check the Capture option,
 Check the Both option
 Type the IP addresses of the entire host
My scenario is to capture certain packets
so only sniff the following set of protocols
 Click on Rules tab
 Tell the sniffer to only sniff the following set of protocols
 TCP port 80 for HTTP
 TCP port 20, 21 for FTP
 TCP port 25 for SMTP (mail).
Conducting the Experiment
Start Eavesdropping
 Start CommView by clicking on File --> start capture
 From the scanning window, click on start scanning
Spying on HTTP (Web Pages)
 In this attack the intruder will spy on the victim

http traffic. The Victim is accessing a web server
and reading a specific important confidential
page from his corporate web server.
 The victim will type in the web browser the
website name (here it is an IP address
192.168.1.100)
 After performing the previous step, CommView
packet tab shows that there are 45 packets has
been captured.
To make it easier for the intruder to actually

see what the victim was watching the
intruder can reconstruct the HTTP session
and view it as a web page with some format
limitation. To do this the intruder can simply
right click on any HTTP packets and select
“Reconstruct TCP session.
CommView was even able to show images transferred during the
HTTP session
Spying on FTP (Downloading files)
 The victim will connect to an FTP server to

download an important confidential file. The
victim will do the following steps
 From command prompt victim will connect to the

ftp server entering administrator account and
password and then downloading a configuration
file called rules.txt

This screen is from the victim’s laptop.
The intruder was able to capture the whole session in 67 packets. The
username and password where captured. All the commands issued by
the victim where gathered as well as a copy of the downloaded text file.
Copy of the downloaded text file.
Spying on SMTP (Emails)
The victim, using his Outlook Express sends a confidential email to Dr. Aggarwal
Spying on SMTP (Emails)
CommView captured the email, the sender, the receiver and the subject
• This whole experiment was happened over a non

secure network.
• I conducted the same detailed experiment but over a

secure network using WEP security and the results
were the same as over a non secure network.
• But when I conducted the same experiment over a

secure network using WPA security, the laptop using
sniffer couldn't even connect to the network.
IDS Promisacn 3.0
The intrusion detection system that can detect the

Promiscuous sniffing nodes (Eavesdropping) is called
PromiScan.
But due to its high price 500$ I couldn’t used it .
The free trial version of that software has many limitations

(Special IP address range) and I actually spend more
than 10 hours trying it but without any results.
References
 [1] M. Domenico, A. Calandriello, G. Calandriello and A. Lioy. Dependability

in Wireless Networks: Can We Rely on WiFi?. IEEE Security and Privacy,
5(1):23-29, 2007
 [2] www.london-wifi.com
 [3] www.wlantenna.com/wlantenna.htm
 [4] http://www.tscmvideo.com/eavesdropping/eavesdropping-device.html
 [5] LucidLink, the network security products company, WiFiTheft.com,
wifi.weblogsinc.com, WarDriving.com, Wigle.net, www.intelligentedu.com
 [6] Wikipedia encyclopedia. Eavesdropping on Wi-Fi, chapter 6 page 122
 [7] http://www.sciam.com/article.cfm
 [8] A. Nicholson and B. Noble. Automatic Network Management for Mobile
Devices. In Proc. Seventh IEEE Workshop on Mobile Computing Systems &
Applications, IEEE Computer Society, pages 47–47, 2006.
 [9] Eavesdropping on Wi-Fi, chapter 6 page 122
 [10] The experiment Scenario figure, Eavesdropping project.
 [11] www.securityfriday.com/products/promiscan.html
Questions in the lab

Eavesdropping Attack Over Wi-Fi: Course: Security and Privacy On The Internet

Uploaded by

Copyright:

Available Formats

Eavesdropping Attack Over Wi-Fi: Course: Security and Privacy On The Internet

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eavesdropping Attack Over Wi-Fi: Course: Security and Privacy On The Internet

Uploaded by

Copyright:

Available Formats

Eavesdropping attack over Wi-Fi

Course: Security and Privacy on the Internet

Instructor: Dr. A.K. Aggarwal

3. What we need to eavesdrop?

4. Legality of eavesdropping devices.

6. How to Secure Wi-Fi Networks?

 Eavesdropping is the process of gathering

 To eavesdrop is to secretly overhear a private

 The information remains intact, but its privacy is

Eavesdropping over wireless networks

 To have one of the particular software tools that allows

 Network adapter supporting promiscuous

 High-power antennas can be used to

 Any Wireless Packet Sniffer can be used

 It is a crime in most countries to eavesdrop

 But as network administrators need to

 Most of the network adapters used around

 Many individuals’ and businesses don't

 Many Wi-Fi products come ready-to-use

 The only available way to fight eavesdropping is

 But even using the encryption technique will not

1. Change the Administrative Password on

 Routers came with default password to

 Changing those passwords is one of the

 Default passwords are posted on the

 A firewall is the fence of your network

 Can help in the protection of your PC by

 Changing SSID will necessitate the wireless

 But even though and because the data packets

 Disable the “Dynamic Host Configuration

 Assign IP addresses to the client

5. Replace WEP with WPA

 WEP “Wired Equivalent Privacy” is a security protocol,

 But as WEP is weak and can be cracked in about 3

 Hackers can configure a rogue AP to imitate a

 Once the client is connected to the rogue AP, the

 Emails can be read, phishing attacks can be

 Some Wi-Fi equipment makers have added

 Intrusion detection uses position location

 Sniffing node detection tool to detect the

 In this project, I simulate an easy, yet

 Unsecured wireless sessions can be

 Serious confidential and personal data

The intruder (an upset student) will try to listen to

 Spying on HTTP (Web Pages)

 Spying on FTP (Downloading files)

 Spying on SMTP (Emails)

Configuration of Victim Machine

Configuring Outlook Express email client

Configuration of Host Intruder Machine (Laptop)

Installing CommView for Wi-Fi

Configuration of Host Intranet Server

Installing IIS, SMTP and FTP

Configuration of Host Intranet Server

FTP needs no configuration. Just need to add some file to the

Configuration of Access point Router

Type the name in

In the channel field,