WPA (Wi-Fi Protected Access) WPA and WPA2 have two standards, is a protected wireless computer network (Wi-Fi) security system, which should be the first generation of systems researchers Wired Equivalent Privacy (WEP) in the found several serious weaknesses arising.
CS653 : Mobile Computing Course Project Wi-Fi Analysis of KReSIT building and Implementation of freeRADIUS server Project Topic – 14 Vaibhao Tatte Harshad Inarkar Swaroop Joshi 08305905 08305066 08305013 firstname.lastname@example.org email@example.com firstname.lastname@example.org Department of CSE, Indian Institute of Technology, Bombay Thursday, November 13, 2008 Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1 Part 1 : WiFi Audit . . . . . . . . . . . . . . . . . . . . . 3 3.2 Part 2 : Implementation of freeRADIUS . . . . . . . . . . 4 4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.1 Part 1 : WiFi Audit . . . . . . . . . . . . . . . . . . . . . 7 4.2 Part 2 : Implementation of freeRADIUS . . . . . . . . . . 9 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.1 Part 1 : WiFi Audit . . . . . . . . . . . . . . . . . . . . . 11 5.2 Part 2 : Implementation of freeRADIUS . . . . . . . . . . 11 1 2 1 Introduction Kanwal Rekhi building, formerly known as KReSIT, houses most of the fac- ulty and research scholars of the department of computer science and engineering of Indian Institute of Technology, Bombay. It is also the place where most of the classroom hours are conducted and houses several labs of post-graduate students and is host of various national and inter- national level seminars. Cisco had audited the complete KReSIT building before implementing the Wi-Fi. But it appears that at many places coverage is not very good and signal strength is low. Our project aims to audit the wi-ﬁ system implemented in KReSIT building. WiFi  is the most easily hackable network in the internet world today, unless some security protocol properly deployed. KReSIT is not secured. No authentication is done and is highly prone to any such attacks. We propose to implement the Remote Authentication Dial In User Service (RADIUS)  in KReSIT. freeRADIUS  is open source server, widely deployed in the corporate world. We provide security in terms of mac-binding and user-authentication (user- id/password), with the help of freeRADIUS. 2 Problem Statement The project is aimed at: • Study of the deployment of WiFi in KReSIT building. – How is the coverage at diﬀerent places – How many APs are available at diﬀerent places – Any coverage outage – Signal strengths at diﬀerent places • Exploring the options of adding security to it – Implementation of freeRADIUS server for the authentication – Deployment of daloRADIUS for the web interface to freeRADIUS Submitted by : Vaibhao, Harshad, Swaroop 3 3 Experimental Setup 3.1 Part 1 : WiFi Audit Tools Used • Linksys Dual-Band Wireless A+G Notebook Adapter  • Backtrack Linux  Linksys Dual-Band Wireless A+G Notebook Adapter • Universal wireless adapter connects your notebook PC to Wireless-A (802.11a), Wireless-B (802.11b), or Wireless-G (802.11g) networks • Incredible data rates up to 54Mbps in Wireless-G and A modes • Also downward compatible with popular 11Mbps Wireless-B devices and networks • Advanced wireless security: Wi-Fi Protected Access (WPA), and up to 152-bit WEP encryption Backtrack Linux • BackTrack is the most top rated linux live distribution focused on pene- tration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. • Consists of more than 300 diﬀerent up-to-date tools which are logically structured according to the work ﬂow of security professionals. • No other commercial or freely available analysis platform oﬀers an equiv- alent level of usability with automatic conﬁguration and focus on pene- tration testing. • One of these tools is Wireless Auditor. It’s a live-cd customized tool, provided by Airtight Networks . It uses postgres to store the database. • It is a dynamic tool, which senses the beacons available in the wireless medium and gets the information available in this medium at the given time. This auditor supports the Linksys dual-band notebook adapter card (Model No.: WPC55AG, Version: 1.3), mentioned above. Methodology We have done a ﬂoor-wise analysis, covering almost all parts of KReSIT, except seminar hall and F.C.Kohli Auditorium, for which key-permission was required. We carried a laptop consisting of the above tools to the several points in the building. We noted the ﬁndings for ∼ 5 min at every location and took the average of the readings. The results are explained in the following section. Submitted by : Vaibhao, Harshad, Swaroop 4 3.2 Part 2 : Implementation of freeRADIUS Tools Used • freeRADIUS : a free open source RADIUS server  • daloRADIUS : advanced RADIUS web management application  freeRADIUS • freeRADIUS source is available and can be downloaded from http://freeRADIUS.org • It requires mysql to store the database • freeRADIUS does not support graphical use interface, only command line operations daloRADIUS • So we are using daloRADIUS • It is an advanced RADIUS web management application aimed at man- aging hotspots and general-purpose ISP deployments • It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating Block Diagram Fig 1 shows the block diagram of how the system of freeRADIUS and daloRA- DIUS works here. DaloRadius Accounting/Authentication freeRadius AP Probe CLIENT Figure 1: Block Diagram Submitted by : Vaibhao, Harshad, Swaroop 5 Working of freeRADIUS  General Terminology • Supplicant/EAP Client – the software on the end-user/client machine (ma- chine with the wireless card). • Authenticator/NAS/Access Point(AP) – A network device providing users with a point of entry into the network. • EAPOL – EAP over LAN as deﬁned in 802.1x standard. • EAPOW – EAP over Wireless. The sequence of events, for EAP-MD5, runs as follows 1. The end-user associates with the Access Point(AP). 2. The supplicant speciﬁes AP to use EAP by sending EAP-Start. 3. AP requests the supplicant to Identify itself (EAP-Identity). 4. Supplicant then sends its Identity (username) to the AP. 5. AP forwards this EAP-response AS-IS to the RADIUS server. (The sup- plicant and the RADIUS server mutually authenticate via AP. AP just acts as a passthru till authentication is ﬁnished.) 6. The server sends a challenge to the supplicant. 7. The supplicant carries out a hash on the password and sends this hashed password to the RADIUS server as its response. 8. The RADIUS server performs a hash on the password for that supplicant in its user database and compares the two hashed values and authenticates the client if the two values match(EAP-Success/EAP-Failure) 9. AP now opens a port to accept data from the end-user. Currently, EAP is widely used in wireless networks than in wired networks. In 802.11/wireless based networking, following sequence of events happen in addition to the above EAP events. 1. RADIUS server and the supplicant agree to a speciﬁc WEP key. 2. The supplicant loads the key ready for logging on. 3. The RADIUS server sends the key for this session (Session key) to the AP. 4. The AP encrypts its Broadcast key with the Session key 5. The AP sends the encypted key to the supplicant 6. The supplicant decrypts the Broadcast key with the Session key and the session continues using the Broadcast and Session keys until the session ends. Submitted by : Vaibhao, Harshad, Swaroop 6 Methodology Steps involved: • Installing dependencies for freeRADIUS  • Downloading freeRADIUS source, make changes to support Protected Ex- tensible Authentication Protocol (PEAP) • Building packages, using dpkg • Installing the binary packages • Installing mysql server • Implementing daloRADIUS • Make necessary changes to support authorization and accounting  • Conﬁguring Access-Point (AP) to support freeRADIUS : eap with mac- binding We have hosted the server on http://10.100.116.11/myradius. Then we add a new user-name to it. Our demonstration was performed on an AP with IP ad- dress 10.129.41.249. In order to access this AP, we have to do the MAC binding and we will require a user-id and password for authentication. Following screen-shot (ﬁg 2) shows how to add a user. Figure 2: Add User Submitted by : Vaibhao, Harshad, Swaroop 7 Next, we have to add an entry of NAS in the freeRADIUS database. We have to share a secret-key between NAS and freeRADIUS server. We have used testing123 for our experiment. Now the users added through this interface can access network through this AP. 4 Results 4.1 Part 1 : WiFi Audit The ﬂoor-wise results of our ﬁndings are tabulated below: Ground Floor Location Maximum Power Received APs accessed Inside Security Room 3 3 Main Steps 8 9 First Floor Location Maximum Power Received APs accessed Near Oﬃce 8 10 Embedded Systems Lab 36 11 Outside F.C.Kohli Auditorium 26 10 KReSIT Library 23 11 Inside SIA-106 26 10 Second Floor Location Maximum Power Received APs accessed Inside SIA-213 43 7 Inside SIA-210 21 5 Inside SIC-203 34 2 Near Lift 13 6 Outside SIC-201 12 7 Third Floor Location Maximum Power Received APs accessed Near SIC-301 7 3 Near Lift 12 7 Inside SIC-310 43 9 Inside SIC-309 33 8 Inside SIA-314 51 8 Inside SIA-310 44 9 Inside RS Rooms 27 9 Submitted by : Vaibhao, Harshad, Swaroop 8 Fourth Floor Location Maximum Power Received APs accessed Inside SIA-413 52 8 Inside SIA-401 51 3 Inside SIA-403 22 7 Inside BI Area 15 3 Near Lift 14 9 Circular Hall (Center) 18 4 Circular Hall (Sidewall) 35 4 Circular Hall (Server Room) 14 4 Summary Figure 3: Graph - ﬂoor vs no. of APs Fig 3 shows the ﬂoor-wise accessibility of the Access Points. Following table shows the availability of a particular AP on a given ﬂoor: Where, G: Ground, 1: First, 2: Second, 3: Third, 4: Fourth Floor Sr. MAC ID of the AP G 1 2 3 4 1. 00:1D:A2:AF:81:E0 Y Y Y Y Y 2. 00:1D:A2:AF:83:90 Y Y Y Y – 3. 00:1D:A2:AF:83:C0 – Y Y – – 4. 00:1D:A2:AF:84:40 – Y Y Y – 5. 00:1D:A2:AF:84:90 Y Y Y Y Y 6. 00:1D:A2:AF:84:F0 Y – – – – 7. 00:1D:A2:AF:85:40 Y Y Y Y – 8. 00:1E:13:41:F6:60 Y Y Y – – 9. 00:1E:13:41:F7:C0 Y – – – – 10. 00:1E:13:41:F7:F0 Y Y Y Y Y 11. 00:1E:13:41:F8:20 Y Y Y Y – 12. 00:1E:13:41:F8:70 – – – Y Y 13. 00:1E:13:41:FC:80 Y Y Y Y – 14. 00:1E:13:41:FD:70 Y Y Y Y – Submitted by : Vaibhao, Harshad, Swaroop 9 Personal APs detected Sr. MAC ID of the AP SSID Security Floors Accessed 1. 4E:64:61:13:EA:C9 hpsetup Open 1, 2, 3 2. 00:0D:88:AB:23:67 KReSIT Open 3 3. 00:0D:88:AB:24:44 KReSIT Open 1 4. 00:0F:3D:38:2D:B3 KReSIT Open 2, 3 5. 00:14:BF:DE:D1:AF linksys Open 2, 3 6. 02:28:78:18:D0:D5 olpc-mesh Open 3 7. 02:2A:AA:32:98:C5 olpc-mesh Open 2 8. 02:2B:8B:64:33:2A olpc-mesh Open 3 9. 02:2D:CD:61:46:38 olpc-mesh Open 3 10. 02:2F:6F:CC:52:81 olpc-mesh Open 3 11. 00:15:62:C7:DE:40 tsunami Open 1, 2, 3 12. 00:15:62:DA:C0:50 Vaibhao WEP G, 1, 2 13. 00:11:95:72:BD:C6 vegayan WEP 2, 3 14. 02:15:6D:54:AA:B0 voyage Open 2, 3 Clients The utilization of CSE-KR APs is not optimal. For example, at a certain point, only three clients were connected to CSE-KR and others were connected to private APs, as shown in the following table . Sr. MAC Address Associated device MAC SSID 1. 00:17:08:CE:EF:AF 4E:64:61:13:EA:C9 hpsetup 2. 00:17:08:CE:EF:AF 4E:64:61:13:EA:C9 hpsetup 3. 00:17:08:CE:EF:AF 4E:64:61:13:EA:C9 hpsetup 4. 00:17:C4:11:0F:7F 02:2F:6F:CC:52:81 olpc-mesh 5. 00:15:6D:54:AA:A0 02:15:6D:54:AA:B0 voyage 6. 00:15:6D:54:AA:A0 00:1E:13:41:FD:70 CSE-KR 7. 00:1E:4C:29:AE:C2 00:1E:13:41:FD:70 CSE-KR 8. 00:04:23:85:FE:55 00:1D:A2:AF:84:F0 CSE-KR 9. 00:18:DE:94:49:98 00:15:62:C7:DE:40 tsunami Low Coverage • It was observed that even though we were standing right under the APs in front of SIC-201 and SIC-301, the power received was extremely low. • At some places, the coverage was not very good, for ex. in front of the oﬃce, and in Business Incubator, signal power received was not good. 4.2 Part 2 : Implementation of freeRADIUS We have successfully implemented the freeRADIUS, using two laptops, one with authorization and one without authorization. The authorized one was able to talk with the AP, while the non-authorized one was not authenticated and was not allowed to connect to the network through this AP. The Access-Accept message can be tested using daloRADIUS. This is shown in the following screenshot (ﬁg 4). Submitted by : Vaibhao, Harshad, Swaroop 10 Figure 4: Test User Connectivity It was testiﬁed that only the authorized users can access the internet through this AP, after their authentication was established by conﬁrming the user-id and password. Submitted by : Vaibhao, Harshad, Swaroop 11 5 Conclusion 5.1 Part 1 : WiFi Audit • Some key areas are not having a very good coverage – AP’s in front of SIC-201 and 301 are not showing good transmit power – Coverage is very poor inside Business Incubator area • Under-utilization of the infrastructure – It was found that number of clients utilizing the CSE-KR APs is usually very less. – People who are using their personal APs for non-experimental pur- pose should be encouraged to use the CSE-KR APs. 5.2 Part 2 : Implementation of freeRADIUS • We have implemented freeRADIUS for a sample AP to show how we can provide security to the KReSIT Wi-Fi module • It can be extended to the entire KReSIT building, provided managerial issues are taken care of Submitted by : Vaibhao, Harshad, Swaroop Bibliography  RADIUS : Wikipedia article.  WiFi : Wikipedia article.  freeRADIUS website.  daloRADIUS Sourceforge webpage.  Rlm eap From FreeRADIUS Wiki.  AirTight Networks Oﬃcial Website.  Installation Steps for freeRADIUS.  Dual-Band Wireless A+G Notebook Adapter Spciﬁcations.  Backtrack Linux Oﬃcial Website.  Wireless vulnerability assessment report, an automatically generated report by airtight network wireless auditor. 12
Pages to are hidden for
"CS653 _ Mobile Computing Course Project Wi-Fi Analysis of KReSIT "Please download to view full document