CS653 _ Mobile Computing Course Project Wi-Fi Analysis of KReSIT

Document Sample
CS653 _ Mobile Computing Course Project Wi-Fi Analysis of KReSIT Powered By Docstoc
					          CS653 : Mobile Computing
               Course Project
      Wi-Fi Analysis of KReSIT building
                     and
     Implementation of freeRADIUS server




                           Project Topic – 14

    Vaibhao Tatte           Harshad Inarkar           Swaroop Joshi
      08305905                 08305066                  08305013
vaibhao@cse.iitb.ac.in   harshadv@cse.iitb.ac.in   swaroop@cse.iitb.ac.in

                         Department of CSE,
                Indian Institute of Technology, Bombay

                Thursday, November 13, 2008
Contents

 1   Introduction . . . . . . . . . . .    . . . . . . . . .   .   .   .   .   .   .   .   .   .   .    2
 2   Problem Statement . . . . . . .       . . . . . . . . .   .   .   .   .   .   .   .   .   .   .    2
 3   Experimental Setup . . . . . .        . . . . . . . . .   .   .   .   .   .   .   .   .   .   .    3
     3.1    Part 1 : WiFi Audit . .        . . . . . . . . .   .   .   .   .   .   .   .   .   .   .    3
     3.2    Part 2 : Implementation        of freeRADIUS       .   .   .   .   .   .   .   .   .   .    4
 4   Results . . . . . . . . . . . . . .   . . . . . . . . .   .   .   .   .   .   .   .   .   .   .    7
     4.1    Part 1 : WiFi Audit . .        . . . . . . . . .   .   .   .   .   .   .   .   .   .   .    7
     4.2    Part 2 : Implementation        of freeRADIUS       .   .   .   .   .   .   .   .   .   .    9
 5   Conclusion . . . . . . . . . . .      . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   11
     5.1    Part 1 : WiFi Audit . .        . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   11
     5.2    Part 2 : Implementation        of freeRADIUS       .   .   .   .   .   .   .   .   .   .   11




                                      1
                                                                               2


1     Introduction
   Kanwal Rekhi building, formerly known as KReSIT, houses most of the fac-
ulty and research scholars of the department of computer science and engineering
of Indian Institute of Technology, Bombay.
It is also the place where most of the classroom hours are conducted and houses
several labs of post-graduate students and is host of various national and inter-
national level seminars.

   Cisco had audited the complete KReSIT building before implementing the
Wi-Fi. But it appears that at many places coverage is not very good and signal
strength is low.
    Our project aims to audit the wi-fi system implemented in KReSIT building.

   WiFi [2] is the most easily hackable network in the internet world today,
unless some security protocol properly deployed. KReSIT is not secured. No
authentication is done and is highly prone to any such attacks.
We propose to implement the Remote Authentication Dial In User Service
(RADIUS) [1] in KReSIT.
freeRADIUS [3] is open source server, widely deployed in the corporate world.
We provide security in terms of mac-binding and user-authentication (user-
id/password), with the help of freeRADIUS.


2     Problem Statement
The project is aimed at:

    • Study of the deployment of WiFi in KReSIT building.
        – How is the coverage at different places
        – How many APs are available at different places
        – Any coverage outage
        – Signal strengths at different places
    • Exploring the options of adding security to it
        – Implementation of freeRADIUS server for the authentication
        – Deployment of daloRADIUS for the web interface to freeRADIUS




Submitted by : Vaibhao, Harshad, Swaroop
                                                                              3


3     Experimental Setup
3.1    Part 1 : WiFi Audit
Tools Used
    • Linksys Dual-Band Wireless A+G Notebook Adapter [8]
    • Backtrack Linux [9]

Linksys Dual-Band Wireless A+G Notebook Adapter
    • Universal wireless adapter connects your notebook PC to Wireless-A (802.11a),
      Wireless-B (802.11b), or Wireless-G (802.11g) networks
    • Incredible data rates up to 54Mbps in Wireless-G and A modes
    • Also downward compatible with popular 11Mbps Wireless-B devices and
      networks
    • Advanced wireless security: Wi-Fi Protected Access (WPA), and up to
      152-bit WEP encryption

Backtrack Linux
    • BackTrack is the most top rated linux live distribution focused on pene-
      tration testing. With no installation whatsoever, the analysis platform is
      started directly from the CD-Rom and is fully accessible within minutes.
    • Consists of more than 300 different up-to-date tools which are logically
      structured according to the work flow of security professionals.
    • No other commercial or freely available analysis platform offers an equiv-
      alent level of usability with automatic configuration and focus on pene-
      tration testing.
    • One of these tools is Wireless Auditor. It’s a live-cd customized tool,
      provided by Airtight Networks [6]. It uses postgres to store the database.
    • It is a dynamic tool, which senses the beacons available in the wireless
      medium and gets the information available in this medium at the given
      time. This auditor supports the Linksys dual-band notebook adapter card
      (Model No.: WPC55AG, Version: 1.3), mentioned above.

Methodology
We have done a floor-wise analysis, covering almost all parts of KReSIT, except
seminar hall and F.C.Kohli Auditorium, for which key-permission was required.
We carried a laptop consisting of the above tools to the several points in the
building.
We noted the findings for ∼ 5 min at every location and took the average of the
readings.
The results are explained in the following section.



Submitted by : Vaibhao, Harshad, Swaroop
                                                                          4


3.2   Part 2 : Implementation of freeRADIUS
Tools Used
   • freeRADIUS : a free open source RADIUS server [3]
   • daloRADIUS : advanced RADIUS web management application [4]

freeRADIUS
   • freeRADIUS source is available and can be downloaded from http://freeRADIUS.org
   • It requires mysql to store the database
   • freeRADIUS does not support graphical use interface, only command line
     operations

daloRADIUS
   • So we are using daloRADIUS
   • It is an advanced RADIUS web management application aimed at man-
     aging hotspots and general-purpose ISP deployments
   • It features user management, graphical reporting, accounting, a billing
     engine and integrates with GoogleMaps for geo-locating

Block Diagram
Fig 1 shows the block diagram of how the system of freeRADIUS and daloRA-
DIUS works here.


                                                      DaloRadius

                     Accounting/Authentication
                                                       freeRadius
       AP




            Probe




      CLIENT



                          Figure 1: Block Diagram




Submitted by : Vaibhao, Harshad, Swaroop
                                                                            5


Working of freeRADIUS [5]
General Terminology
   • Supplicant/EAP Client – the software on the end-user/client machine (ma-
     chine with the wireless card).
   • Authenticator/NAS/Access Point(AP) – A network device providing users
     with a point of entry into the network.
   • EAPOL – EAP over LAN as defined in 802.1x standard.
   • EAPOW – EAP over Wireless.

The sequence of events, for EAP-MD5, runs as follows
  1. The end-user associates with the Access Point(AP).
  2. The supplicant specifies AP to use EAP by sending EAP-Start.
  3. AP requests the supplicant to Identify itself (EAP-Identity).
  4. Supplicant then sends its Identity (username) to the AP.
  5. AP forwards this EAP-response AS-IS to the RADIUS server. (The sup-
     plicant and the RADIUS server mutually authenticate via AP. AP just
     acts as a passthru till authentication is finished.)
  6. The server sends a challenge to the supplicant.
  7. The supplicant carries out a hash on the password and sends this hashed
     password to the RADIUS server as its response.
  8. The RADIUS server performs a hash on the password for that supplicant
     in its user database and compares the two hashed values and authenticates
     the client if the two values match(EAP-Success/EAP-Failure)
  9. AP now opens a port to accept data from the end-user.

Currently, EAP is widely used in wireless networks than in wired
networks. In 802.11/wireless based networking, following sequence
of events happen in addition to the above EAP events.
  1. RADIUS server and the supplicant agree to a specific WEP key.
  2. The supplicant loads the key ready for logging on.

  3. The RADIUS server sends the key for this session (Session key) to the AP.
  4. The AP encrypts its Broadcast key with the Session key
  5. The AP sends the encypted key to the supplicant
  6. The supplicant decrypts the Broadcast key with the Session key and the
     session continues using the Broadcast and Session keys until the session
     ends.


Submitted by : Vaibhao, Harshad, Swaroop
                                                                            6


Methodology
Steps involved:
   • Installing dependencies for freeRADIUS [7]
   • Downloading freeRADIUS source, make changes to support Protected Ex-
     tensible Authentication Protocol (PEAP)
   • Building packages, using dpkg
   • Installing the binary packages
   • Installing mysql server
   • Implementing daloRADIUS

   • Make necessary changes to support authorization and accounting [7]
   • Configuring Access-Point (AP) to support freeRADIUS : eap with mac-
     binding

  We have hosted the server on http://10.100.116.11/myradius. Then we add a
new user-name to it. Our demonstration was performed on an AP with IP ad-
dress 10.129.41.249. In order to access this AP, we have to do the MAC binding
and we will require a user-id and password for authentication.
Following screen-shot (fig 2) shows how to add a user.




                               Figure 2: Add User




Submitted by : Vaibhao, Harshad, Swaroop
                                                                            7


    Next, we have to add an entry of NAS in the freeRADIUS database. We
have to share a secret-key between NAS and freeRADIUS server. We have used
testing123 for our experiment.
    Now the users added through this interface can access network through this
AP.


4     Results
4.1   Part 1 : WiFi Audit
The floor-wise results of our findings are tabulated below:


Ground Floor
 Location                Maximum Power Received             APs accessed
 Inside Security Room    3                                  3
 Main Steps              8                                  9

First Floor
 Location                         Maximum Power Received           APs accessed
 Near Office                        8                                10
 Embedded Systems Lab             36                               11
 Outside F.C.Kohli Auditorium     26                               10
 KReSIT Library                   23                               11
 Inside SIA-106                   26                               10

Second Floor
 Location           Maximum Power Received           APs accessed
 Inside SIA-213     43                               7
 Inside SIA-210     21                               5
 Inside SIC-203     34                               2
 Near Lift          13                               6
 Outside SIC-201    12                               7

Third Floor
 Location            Maximum Power Received           APs accessed
 Near SIC-301        7                                3
 Near Lift           12                               7
 Inside SIC-310      43                               9
 Inside SIC-309      33                               8
 Inside SIA-314      51                               8
 Inside SIA-310      44                               9
 Inside RS Rooms     27                               9




Submitted by : Vaibhao, Harshad, Swaroop
                                                                    8


Fourth Floor
 Location                      Maximum Power Received     APs accessed
 Inside SIA-413                52                         8
 Inside SIA-401                51                         3
 Inside SIA-403                22                         7
 Inside BI Area                15                         3
 Near Lift                     14                         9
 Circular Hall (Center)        18                         4
 Circular Hall (Sidewall)      35                         4
 Circular Hall (Server Room)   14                         4

Summary




                   Figure 3: Graph - floor vs no. of APs



  Fig 3 shows the floor-wise accessibility of the Access Points.
  Following table shows the availability of a particular AP on a given
floor: Where, G: Ground, 1: First, 2: Second, 3: Third, 4: Fourth Floor

    Sr.   MAC ID of the AP       G    1    2   3   4
     1.   00:1D:A2:AF:81:E0      Y    Y    Y   Y   Y
     2.   00:1D:A2:AF:83:90      Y    Y    Y   Y   –
     3.   00:1D:A2:AF:83:C0      –    Y    Y   –   –
     4.   00:1D:A2:AF:84:40      –    Y    Y   Y   –
     5.   00:1D:A2:AF:84:90      Y    Y    Y   Y   Y
     6.   00:1D:A2:AF:84:F0      Y    –    –   –   –
     7.   00:1D:A2:AF:85:40      Y    Y    Y   Y   –
     8.   00:1E:13:41:F6:60      Y    Y    Y   –   –
     9.   00:1E:13:41:F7:C0      Y    –    –   –   –
    10.   00:1E:13:41:F7:F0      Y    Y    Y   Y   Y
    11.   00:1E:13:41:F8:20      Y    Y    Y   Y   –
    12.   00:1E:13:41:F8:70      –    –    –   Y   Y
    13.   00:1E:13:41:FC:80      Y    Y    Y   Y   –
    14.   00:1E:13:41:FD:70      Y    Y    Y   Y   –

Submitted by : Vaibhao, Harshad, Swaroop
                                                                             9


Personal APs detected
 Sr.   MAC ID of the AP         SSID         Security    Floors Accessed
  1.   4E:64:61:13:EA:C9        hpsetup      Open        1, 2, 3
  2.   00:0D:88:AB:23:67        KReSIT       Open        3
  3.   00:0D:88:AB:24:44        KReSIT       Open        1
  4.   00:0F:3D:38:2D:B3        KReSIT       Open        2, 3
  5.   00:14:BF:DE:D1:AF        linksys      Open        2, 3
  6.   02:28:78:18:D0:D5        olpc-mesh    Open        3
  7.   02:2A:AA:32:98:C5        olpc-mesh    Open        2
  8.   02:2B:8B:64:33:2A        olpc-mesh    Open        3
  9.   02:2D:CD:61:46:38        olpc-mesh    Open        3
 10.   02:2F:6F:CC:52:81        olpc-mesh    Open        3
 11.   00:15:62:C7:DE:40        tsunami      Open        1, 2, 3
 12.   00:15:62:DA:C0:50        Vaibhao      WEP         G, 1, 2
 13.   00:11:95:72:BD:C6        vegayan      WEP         2, 3
 14.   02:15:6D:54:AA:B0        voyage       Open        2, 3

Clients
The utilization of CSE-KR APs is not optimal.
For example, at a certain point, only three clients were connected to CSE-KR
and others were connected to private APs, as shown in the following table [10].

 Sr.   MAC Address           Associated device MAC         SSID
  1.   00:17:08:CE:EF:AF     4E:64:61:13:EA:C9             hpsetup
  2.   00:17:08:CE:EF:AF     4E:64:61:13:EA:C9             hpsetup
  3.   00:17:08:CE:EF:AF     4E:64:61:13:EA:C9             hpsetup
  4.   00:17:C4:11:0F:7F     02:2F:6F:CC:52:81             olpc-mesh
  5.   00:15:6D:54:AA:A0     02:15:6D:54:AA:B0             voyage
  6.   00:15:6D:54:AA:A0     00:1E:13:41:FD:70             CSE-KR
  7.   00:1E:4C:29:AE:C2     00:1E:13:41:FD:70             CSE-KR
  8.   00:04:23:85:FE:55     00:1D:A2:AF:84:F0             CSE-KR
  9.   00:18:DE:94:49:98     00:15:62:C7:DE:40             tsunami

Low Coverage
   • It was observed that even though we were standing right under the APs
     in front of SIC-201 and SIC-301, the power received was extremely low.
   • At some places, the coverage was not very good, for ex. in front of the
     office, and in Business Incubator, signal power received was not good.

4.2    Part 2 : Implementation of freeRADIUS
We have successfully implemented the freeRADIUS, using two laptops, one with
authorization and one without authorization. The authorized one was able to
talk with the AP, while the non-authorized one was not authenticated and was
not allowed to connect to the network through this AP. The Access-Accept
message can be tested using daloRADIUS.
This is shown in the following screenshot (fig 4).


Submitted by : Vaibhao, Harshad, Swaroop
                                                                               10




                       Figure 4: Test User Connectivity



    It was testified that only the authorized users can access the internet through
this AP, after their authentication was established by confirming the user-id and
password.




Submitted by : Vaibhao, Harshad, Swaroop
                                                                        11


5     Conclusion
5.1    Part 1 : WiFi Audit
    • Some key areas are not having a very good coverage
        – AP’s in front of SIC-201 and 301 are not showing good transmit
          power
        – Coverage is very poor inside Business Incubator area
    • Under-utilization of the infrastructure
        – It was found that number of clients utilizing the CSE-KR APs is
          usually very less.
        – People who are using their personal APs for non-experimental pur-
          pose should be encouraged to use the CSE-KR APs.

5.2    Part 2 : Implementation of freeRADIUS
    • We have implemented freeRADIUS for a sample AP to show how we can
      provide security to the KReSIT Wi-Fi module
    • It can be extended to the entire KReSIT building, provided managerial
      issues are taken care of




Submitted by : Vaibhao, Harshad, Swaroop
Bibliography

 [1] RADIUS : Wikipedia article.
 [2] WiFi : Wikipedia article.
 [3] freeRADIUS website.
 [4] daloRADIUS Sourceforge webpage.

 [5] Rlm eap From FreeRADIUS Wiki.
 [6] AirTight Networks Official Website.
 [7] Installation Steps for freeRADIUS.
 [8] Dual-Band Wireless A+G Notebook Adapter Spcifications.
 [9] Backtrack Linux Official Website.
[10] Wireless vulnerability assessment report, an automatically generated report
     by airtight network wireless auditor.




                                      12

				
DOCUMENT INFO
Shared By:
Stats:
views:52
posted:3/4/2011
language:English
pages:13
Description: WPA (Wi-Fi Protected Access) WPA and WPA2 have two standards, is a protected wireless computer network (Wi-Fi) security system, which should be the first generation of systems researchers Wired Equivalent Privacy (WEP) in the found several serious weaknesses arising.