A Whole Process Wifi

Security Perception Software

System

Presented By:
Yograj Sharma
2022PITP-303
Key Terms:
 1. Rogue Access Point : A Wireless Access Point that has been installed on a secure network
without authorization from a local network administrator.

 2. SSID : A Sequence of characters that uniquely names a Wi-Fi network.

 3. WEP/WPA : Wired Equivalent Privacy / Wi-Fi Protected Access i.e., Wi-Fi Security
Protocols.

 4. Deauth Attack: Disconnecting any system from AP

5. 4-Way Handshake Algorithm : A type of network authentication protocol established by

IEEE-802.11i
4-Way Handshake:
 The 4-way handshake is the process of exchanging 4 messages between an
access point (authenticator) and the client device (supplicant) to generate some
encryption keys which can be used to encrypt actual data sent over Wireless
medium. 

 These keys which are generated through 4-way handshake are generated by
some source key material which will be discussed on next slide.
Important Terminologies used in 4 Way Handshake:

• PSK (Pre Shared Key): It is derived from PBKDF2-SHA1

• PMK (Pairwise Master Key)

• GMK (Group Master Key)

• MSK (Master Session Key): Pairwise master is key generated from master session key (MSK).

• PTK (Pairwise Transient Key): PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))

• GTK (Group Temporal Key)

• PRF is a Pseudo-Random Function which is applied to all the input.

• Anonce and Snonce:

• MIC: Message Integrity Check

 4-Way Handshake:

From authentication to the association to security

validation. This is where 4-way handshake
happens, instead of sending the password to the
access points there are EAPOL (Extensible
authentication protocol over LAN) messages
exchange happens.
 Wi-Fi
De-authentication attack

 An attacker can send a de-authentication

frame at any time to a wireless access point,
with a spoofed address for the victim.

 The protocol does not require any encryption

for this frame, even when the session was
established with Wireless security protocol.
Introduction
 Research works show that there are mainly three types of WiFi attack: i.e. Rogue access
points, Sniffing and Deauth attack.

 Though IEEE designs a series of really safety protocol 802.11, especially, the most
famous and useful way of encryption is WPA2. However, the original protocols have been
difficulties to cope with the variety of attacks; upgrading in time cost a lot; existing
intrusion detection systems mainly for the enterprise environment, not suitable for large-
scale deployment in public places.
Cont.…
 Personal router cannot grantee the security from rogue AP, Deauth and other attacks. In
addition, lost accounts, privacy leaks and other incidents broke out frequently due to
using WiFi, user security awareness is weak.

 The work in this paper aims at protecting the users during surfing the Internet through
the WiFi. A Whole-Process WiFi Security Perception System is design based on the
analysis of client’s using process, focusing on the details of possible threatens during the
pre-connect, connecting and after-connected.

 It consists of three modules using different methods to deal and protect three periods of
time.
Software System Scheme:
Figure 1 shows, the software works on three periods of time. First, software will sniff the environment;
begin a basic detection for user to identify the APs. Next, when user decides which AP he wants to
connect, during the connection, we will begin a fog connection to protect the real data transport. After the
connection has been built, our real time detection module will detect the de-auth attack.

Fig 1: Working Process of Software System Fig 2: Structure of the Application

Cont…
 1. Pre-Connection Module:
 SSID, BSSID, AP-load & Traffic
 Protocol Fingerprint
 Traceroute

 2. Sniffing Module:

By the idea of Fog Computing, It send fake 4way handshake to protect PSK from sniffer and
leading him to get a fake PSK.

 3. Threat Perception Module:

 Detects Deauth attack in time based on the Deauth frame.
A. Detecting and Sniffing Module
 To ensure an environment is safe, we need to collect the information from the existing
APs, this is the basic of the whole software.

 We use command "airmon-ng" to set up the network interface controller (NIC) card into
promiscuous mode in order to collect all the data from the environment.

 Here, we use the library Scapy which provides many API to control the NIC card.
Contd…
 After sniffing the data, useful data is collected and store them in a dictionary structure.

 We use SSID as keyword of each AP. MAC address is an unparalleled feature to each AP.

 Following this rule, we collect the channel, method of encryption etc, and we also store

the specific information of evaluation and judgment in the structure too.

1. Unusual Rogue AP
 Typically, the AP has its own unique SSID, but in public places, like hotels or other
places, the W LAN are often composed by a plurality of the same name.

 A remarkable feature of phishing attacks is the AP’s SSID already exists. Individual’s
computer cannot judge whether they belong to a same secure SSID or not. There two
reasons this method can be succeed:

  Default setting in computers will regard same SSID, same encryption AP as one.

  Computers will choose AP with stronger signal to grantee better experience for users,
without any security authentication.
Contd..
 When hacker’s AP has stronger signal than the one, users will automatically connect to the
rogue AP.

 In order to prevent this circumstance, we match the MAC address with manufacturer, because
the first three bytes of MAC address is correspondent with the manufacturer according to the
IEEE standard.

 Here, we download the list from IEEE website and rearrange them in a specific order. Each
time we sniff the environment; the information will be rematches with the list and marked in
different security level .
 2. Protocol Fingerprint
Detecting
 Normal AP and rogue AP both can provide
the same network connection, same method
of data encryption, even a real Internet
environment.

 However, normal A P, which usually is

router, only transport and redirect data, but
rogue AP will analyze the data, these
complicate functions usually are hard to
install in a small router.
Contd…
 In this case, detecting the system will become a convincing evidence to prove the AP
security.

 The systems will have different reaction with the same protocol request, because they have
different protocol stack realization which is also quite unique for each type of system. This
fingerprint will be extracted from the packet.

 In this software, we mainly focus on protocol TCP/IP and ARP. After the data is collected, we
will compare it with the dictionary from Nmap1. There is also some python library related to
it and make it easier to consult the result.
 3. Amount of
Connection Detection
 In public places, normal AP will have
certain number of connection before the
attacker arrives.

 AP set by attacker usually have a smaller

payload than the normal one. This can also
be a feature to judge the secure level.
 4. Traceroute Path detection

 In an AP WLAN, the IP address is private (192.x.x.x, for

example), other side is the public LAN address. Use the
command "Traceroute" will detect the hop of the network. As
the TTL (time-to-live) value in IP packet will decrease when it
passes a router, we can acknowledge the path.

 In the contrary, since the attacker AP will provide the real

network connection, it will add another hop in the path, and it
will be marked as a private address.

 These two differences will show a warning in the software .

 B. Connection Protecting Module
 WiFi choose encryption to protect the data, there are still ways to decrypt the data with high
developed computers, social engineering, etc.

 This module takes the concepts of active defense to cheat the attacker sniff process in order
to achieve the goal of protecting data.

 According to 802.11, the initial authentication process is carried out either using a pre-shared
key (PSK) or following an EAP exchange through 802.1X (known as EAPOL, which requires
the presence of an authentication server).
Cont…
 This process ensures that the client station (STA) is authenticated with the AP. After the PSK or
802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK).

 After the handshake, connection is built and thanks to the encryption method, it is too hard to
decrypt by the attackers.

 In that case, attacker chooses to sniff the handshake period packets which are the only no-
protection packets after the connection. Without encryption, handshake packets are easy to
decrypt and get the real password.
 1. Protection Method

 In order to prevent the circumstance mentioned above, we

send out many fake handshake packets during the handshake.

 Because sniffing cannot be stopped, the concept of active

defense is much better here.

 The AP knows which is the real handshake packet according

to the previous handshake packet.

 However, attackers’ tool need to judge, and the fake packet

can also have been decrypting as "usual" password which
will cheat the attackers.
 2. Details of Realization

 we extract the detail from the sniffing module and generate

the fake packets.

 We prepare lots of common password dictionaries so that

the fake password will generate randomly from it.

 After the second handshake, all the packets will send to the
AP. If the attacker is sniffing at the same time, the result
will be obfuscated.
 4-Way Handshake:

• From authentication to the association to

security validation.

• This is where 4-way handshake happens,

instead of sending the password to the access
points there are EAPOL (Extensible
authentication protocol over LAN) messages
exchange happens.
 Experimental Testing

 Environment Description: in laboratory of a building, there are many wireless signal

coverage.

 Using a wireless router can access the legitimate AP, named WIFI-SEC, using WPA2-PSK
security types.

 The victims have been connected to the legitimate AP, and Internet.

 Currently, the tools most used are called air crack-ng. It is a serial of tools include sniffing,
decrypting password, creating rogue A P etc. We use this tools to test our software .
Cont..

Equipment Details

D-Link Wireless Router Used as a legal A P to provide access to the

Internet Environment

Laptop+TP-Link USB Wireless An attacker, installed to attack the required

Network card software environment

Laptop User, installation of the whole-process WiFi

security perception software system
 1. Attack Experiments:

 First, the attacker start with wireless networks,

access to AP information and user information,
as shown in figure 12.

 After that, in order to quickly get the four-

handshake data frame, the Deauth attacks to
make it off the assembly line and then
relinked, and finally the implementation of
brute force to crack the key.
 Cont..
 A malicious AP, SSID is set to the experiments of
the WIFI-SEC, set the same password with the
original WIFI- SEC, encryption also uses WPA2.

 To set up the fishing WiFi after the victim search

using WiFi, unable to perceive the malicious AP.

 The attackers use aireplay-ng again to make the

victim dropped, automatically connect to the
malicious AP success .
 2. Anti-attack
Experiments

 The users use our “whole-process WiFi

security perception software system” for
wireless internet access, the attacker
uses the same attack techniques in the
attack experiment.

 Using system can be normal for WiFi

surfing, and then in the attack, test the
functions, respectively.
 Users scan the current security of the network environment,
there is no false alarm, the connection can be normal after the
Internet.

 The user in the normal Internet, an attacker to launch Deauth

attacks, and sniffing the four-handshake crack PSK. After the
Deauth attack, our software system prompts the user, and
gives the estimated distance immediately.

 The system monitors the defense module prevented airodump

and aircrack-ng sniffer crack PSK, the false key.

 In the system, we create an AP called "WIFI-SEC" whose

password is: password and then software begin to connect it.

 In the meantime, aircrack-ng starts to sniff and crack the

handshake packet.

 In figure 15, we can see the result is 123456789 which mean

aircrack-ng has been cheated by our software fake packets.
Conclusion
 The design of a whole-process WiFi security perception software system has been described above. It consists of
three modules to protect user from security threats during the pre-connection, connection and after-connection.

 The system could detect WiFi environment shows with 3D effect, marking the Rogue A P, and during the
connection, it inspired by the idea of Fog Computing, sending fake traffic to protect PSK from sniffing. After
connection, the system detects Deauth attack in time, and traces the attacker.

 The software functionalities are realized, all the suspicious points are displayed on the User Interface (UI), and
all the instruction is very simple and clear. It is designed even for those who only know a little about the
computer operation, so normally there should not be any problem through the manipulation.

 The corresponding experimental testing results show that it could protect the surf in the WiFi environment
effectively
Thank You !