Authentication is the process of proving identity of a station to
another station or AP. In the open system authentication, all stations
are authenticated without any checking. A station A sends an
Authentication management frame that contains the identity of A, to station
B. Station B replies with a frame that indicates recognition, addressed
to A. In the closed network architecture, the stations must know the
SSID of the AP in order to connect to the AP. The shared key
authentication uses a standard challenge and response along with a shared
secret key.
Data can be exchanged between the station and AP only after a
station is associated with an AP in the infrastructure mode or with another
station in the ad hoc mode. All the APs transmit Beacon frames a few
times each second that contain the SSID, time, capabilities, supported rates,
and other information. Stations can chose to associate with an AP
based on the signal strength etc. of each AP. Stations can have a
null SSID that is considered to match all SSIDs.
The association is a two-step process. A station that is currently
unauthenticated and unassociated listens for Beacon frames. The station selects
a BSS to join. The station and the AP mutually authenticate themselves by
exchanging Authentication management frames. The client is now
authenticated, but unassociated. In the second step, the station
sends an Association Request frame, to which the AP responds with an
Association Response frame that includes an Association ID to the
station. The station is now authenticated and associated.
A station can be authenticated with several APs at the same time,
but associated with at most one AP at any time. Association implies
authentication. There is no state where a station is associated but not
authenticated.
Sniffing is eavesdropping
on the network. A (packet) sniffer is a program
that intercepts and decodes network traffic broadcast through a
medium. Sniffing is the act by a machine S of making copies of a
network packet sent by machine A intended to be received by machine B.
Such sniffing, strictly speaking, is not a TCP/IP problem, but it is enabled by
the choice of broadcast media, Ethernet and 802.11, as the physical and data
link layers.
Sniffing has long been a reconnaissance technique used in wired
networks. Attackers sniff the frames necessary to enable the exploits
described in later sections. Sniffing is the underlying technique used in
tools that monitor the health of a network. Sniffing can also help
find the easy kill as in scanning for open access points that allow anyone to
connect, or capturing the passwords used in a connection session that does not
even use WEP, or in telnet, rlogin and ftp connections.
It is easier to sniff wireless networks than wired ones. It is
easy to sniff the wireless traffic of a building by setting shop in a car
parked in a lot as far away as a mile, or while driving around the block. In a
wired network, the attacker must find a way to install a sniffer on one or more
of the hosts in the targeted subnet. Depending on the equipment used in a
LAN, a sniffer needs to be run either on the victim machine whose traffic is of
interest or on some other host in the same subnet as the victim. An
attacker at large on the Internet has other techniques that make it possible to
install a sniffer remotely on the victim machine.
Scanning is the act of sniffing by tuning to various radio
channels of the devices. A passive network scanner instructs
the wireless card to listen to each channel for a few messages. This does
not reveal the presence of the scanner.
An attacker can passively scan without transmitting at all.
Several modes of a station permit this. There is a mode called RF
monitor mode that allows every frame appearing on a channel to be
copied as the radio of the station tunes to various channels. This is
analogous to placing a wired Ethernet card in promiscuous mode. This mode is
not enabled by default. Some wireless cards on the market today have disabled
this feature in the default firmware. One can buy wireless cards whose
firmware and corresponding driver software together permit reading of all raw
802.11 frames. A station in monitor mode can
capture packets without associating with an AP or ad-hoc network. The
so-called promiscuous mode allows the capture of all wireless
packets of an associated network. In this mode, packets cannot be read until
authentication and association are completed.
An example sniffer is Kismet (http://www.kismetwireless.net). An example wireless card that
permits RF monitor modes is Cisco Aironet AIR-PCM342.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.