无线局域网攻击技术研究
摘要
无线局域网提供了传统有线网络所不具备的移动性和灵活性,因而得到了广泛的应用,但是同时也带来了很多安全问题。目前,这些安全问题逐渐引起了人们的关注。当用户采用射频信号作为介质进行数据传输时,遭受侦听和仿冒的威胁无处不在,因此需要提供一种安全机制来保护正常的通信。
IEEE 802.11标准引入了有线等价保密(WEP)协议来保护链路层的通信,其目标是为无线局域网数据提供与有线网络相同级别的安全保护。WEP的主要任务就是保护用户数据的机密性,使其免受诸如窃听之类的攻击。
通过分析WEP协议,发现该协议中存在一些严重的安全缺陷(如密钥流重用、消息认证、消息解密等),从而说明WEP并未能达到设计时的安全目标。然后,提出了利用这些缺陷向无线局域网发起攻击的方法。
基于这些攻击方法,设计了针对802.11无线局域网的攻击工具。该工具通过将无线网卡设置为监听模式,来实现数据包的捕获。然后,对捕获的数据包进行分析和过滤,获取相关的网络信息(如AP的MAC地址、SSID、频道等)。最后,对加密的数据进行计算,获得用户使用的加密密钥。
在Windows XP操作系统下,基于Microsoft Visual C++ 6.0平台实现了该无线局域网攻击工具的原型。理论分析和实验测试表明,该工具能够发现正在进行数据传输的基本服务集,并对其使用的加密密钥进行破解。
Wireless LAN has the mobility and flexibility, which cannot be provided by the traditional wired network. As a result, wireless LAN has gained much popularity. But with the added convenience of wireless access come new problems, not the least of which are heightened security concerns. When transmissions are broadcast over radio waves, interception and masquerading become trivial to anyone with a radio, and so there is a need to employ security mechanisms to protect the communications.
The 802.11 standard for wireless LAN communications introduces the Wired Equivalent Privacy protocol, used to protect link-layer communications, in an attempt to bring the security level of wireless systems closer to that of wired ones. The primary goal of WEP is to protect the confidentiality of user data from eavesdropping and other attacks.
Through analysis of WEP, several serious security flaws are discovered in the protocol, which shows that WEP fails to attain its security goals. Exploiting these flaws,some approaches are proposed to launch attacks against wireless LANs.
Based on these attack approaches, an attack tool is designed against 802.11 WLAN. By setting wireless card as RF monitoring mode, this tool can capture packets in WLAN. Then, this tool analyzes and filters the packets captured to acquire relevant information about the network, such as MAC address of AP, SSID and channel. Finally, by computing the data encrypted, the user’s encryption key is obtained.
The prototype of the WLAN attack tool is implemented under Windows XP with Microsoft Visual C++ 6.0. Theoretical analysis and experiment show that the tool can discover the basic service set being transmitted, and crack the key used to encrypt data in the BSS.
IEEE 802.11标准引入了有线等价保密(WEP)协议来保护链路层的通信,其目标是为无线局域网数据提供与有线网络相同级别的安全保护。WEP的主要任务就是保护用户数据的机密性,使其免受诸如窃听之类的攻击。
通过分析WEP协议,发现该协议中存在一些严重的安全缺陷(如密钥流重用、消息认证、消息解密等),从而说明WEP并未能达到设计时的安全目标。然后,提出了利用这些缺陷向无线局域网发起攻击的方法。
基于这些攻击方法,设计了针对802.11无线局域网的攻击工具。该工具通过将无线网卡设置为监听模式,来实现数据包的捕获。然后,对捕获的数据包进行分析和过滤,获取相关的网络信息(如AP的MAC地址、SSID、频道等)。最后,对加密的数据进行计算,获得用户使用的加密密钥。
在Windows XP操作系统下,基于Microsoft Visual C++ 6.0平台实现了该无线局域网攻击工具的原型。理论分析和实验测试表明,该工具能够发现正在进行数据传输的基本服务集,并对其使用的加密密钥进行破解。
Wireless LAN has the mobility and flexibility, which cannot be provided by the traditional wired network. As a result, wireless LAN has gained much popularity. But with the added convenience of wireless access come new problems, not the least of which are heightened security concerns. When transmissions are broadcast over radio waves, interception and masquerading become trivial to anyone with a radio, and so there is a need to employ security mechanisms to protect the communications.
The 802.11 standard for wireless LAN communications introduces the Wired Equivalent Privacy protocol, used to protect link-layer communications, in an attempt to bring the security level of wireless systems closer to that of wired ones. The primary goal of WEP is to protect the confidentiality of user data from eavesdropping and other attacks.
Through analysis of WEP, several serious security flaws are discovered in the protocol, which shows that WEP fails to attain its security goals. Exploiting these flaws,some approaches are proposed to launch attacks against wireless LANs.
Based on these attack approaches, an attack tool is designed against 802.11 WLAN. By setting wireless card as RF monitoring mode, this tool can capture packets in WLAN. Then, this tool analyzes and filters the packets captured to acquire relevant information about the network, such as MAC address of AP, SSID and channel. Finally, by computing the data encrypted, the user’s encryption key is obtained.
The prototype of the WLAN attack tool is implemented under Windows XP with Microsoft Visual C++ 6.0. Theoretical analysis and experiment show that the tool can discover the basic service set being transmitted, and crack the key used to encrypt data in the BSS.
引文
[1] 牛伟, 郭世泽, 吴志军. 无线局域网. 第一版. 北京: 人民邮电出版社, 2003: 183~185
[2] 王欣靖, 李星. 通信与网络新技术点评. 第一版. 北京: 人民邮电出版社, 2003: 13~37
[3] 唐岗. 无线局域网综述. 现代通信, 2002, (8): 12~14
[4] A. Willig, K. Matheus, A. Wolisz. Wireless technology in industrial networks. Proceedings of the IEEE, 2005, 93(6): 1130~1151
[5] Jeff Dodd. Wireless Network Security. Smart Computing in Plain English, 2005, 16(11): 72
[6] 朱艳. 浅析无线局域网安全技术. 山东通信技术, 2005, 25(1): 1~4
[7] 张栋毅, 范跃华. 无线网络安全性研究. 现代电子技术, 2006, 29(1): 62~64, 68
[8] 张虎, 卫克, 陈伟鹏. 无线局域网安全研究的进展. 网络安全技术与应用, 2006, (2): 74~76
[9] 斯进. 无线局域网技术安全性现状分析及探讨. 网络安全技术与应用, 2006, (1): 74~76
[10] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Standard 802.11, 1999: 29~69
[11] 尹花子. 无线局域网安全漏洞剖析. 江汉大学学报, 2005, 33(4): 63~66
[12] H. Boland, H. Mousavi. Security issues of the IEEE 802.11b wireless LAN. Electrical and Computer Engineering, 2004, 1(1): 333~336
[13] 尹晓东. 无线网络安全防护体系的构建. 科技情报开发与经济, 2005, 15(24): 175~176
[14] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn et al. 2005 CSI/FBI Computer Crime and Security Survey: 12~15
[15] Bryce H Peterson, William G Heninger, Craig J Lindstrom. How SECURE is your WIRELESS NETWORK? The Internal Auditor, 2006, 63(1): 60~65
[16] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: Medium Access Control (MAC) Security Enhancements. IEEE Standard 802.11i, 2004: 32~113
[17] Drew Robb. 802.11i Brings More Security To WLANs. Business Communications Review, 2006, 36(4): 52~54
[18] 梁峰, 史杏荣, 曲阜平. 基于802.1x认证与WEP结合使用提高WLAN安全性. 计算机工程与应用, 2006, 42(1): 147~150
[19] Frank Bulk. The ABCs of WPA2 Wi-Fi Security. Network Computing, 2006, 17(2): 65~67
[20] Michael Finneran. Wi-Fi Security-Are We There Yet? Business Communications Review, 2005, 35(11): 14~16
[21] Kjell J Hole, Erlend Dyrnes, Per Thorsheim. Securing Wi-Fi Networks. Computer, 2005, 38(7): 28
[22] 张帆, 马建峰. WAPI 实施方案的安全性分析. 西安电子科技大学学报, 2005, 32(4): 545~548, 592
[23] 林秀春, 全春来, 王清理. 基于效率提高和安全性完善的 WAPI 标准改进实现. 计算机工程与设计, 2006, 27(3): 449~450, 471
[24] 陈航, 陈占计, 陈中双. IEEE802.11i 标准与 WLAN 安全性分析. 电子工程师, 2005, 31(10): 66~68
[25] S. K. Miller. Facing the challenge of wireless security. Computer, 2001, 34(7): 16~18
[26] 王大虎, 翁翼飞, 杨维. 针对 IEEE802.11 标准的无线局域网的攻击和防卫研究. 中国安全科学学报, 2005, 15(2): 77~80
[27] 王艳春, 张晨霞. 无线网络安全研究. 齐齐哈尔大学学报, 2005, 21(2): 76~78
[28] 王曼珠, 何文才, 杨亚涛. 无线局域网 IEEE802.11 的安全缺陷分析. 微电子学与计算机, 2005, 22(7): 189~192
[29] Hal Berghel, Jacob Uecker. Wi-Fi attack vectors. Communications of the ACM, 2005, 48(8): 21
[30] 冯柳平, 刘祥南. 基于 IEEE 802.11 认证协议的 DoS 攻击. 计算机应用, 2005, 25(3): 546~547, 550
[31] 夏新军, 俞能海, 刘洋. WLAN 环境下拒绝服务攻击问题研究. 计算机工程与应用, 2005, 41(25): 129~132
[32] David Cieslak. Wireless Security Essentials. CPA Technology Advisor, 2006, 16(2): 84
[33] 杨吉云, 王铮, 金纯. IEEE 802.11b 的媒体访问机制. 重庆大学学报, 2002, 25(10): 113~116
[34] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: High-speed Physical Layer in the 5GHz Band. IEEE Standard 802.11a, 1999 Edition, 2000: 3~45
[35] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: Further Higher Data Rate Extension in the 2.4 GHz Band. IEEE Standard 802.11g, 2003: 14~51
[36] V. Vlachos, S. Androutsellis-Theotokis, D. Spinellis. Security application of Peer-to-Peer networks. Computer Networks, 2004, 45(2): 195~205
[37] 刘元安. 宽带无线接入和无线局域网. 第一版. 北京: 北京邮电大学出版社, 2000: 57~92
[38] 王德杰. 无线局域网的安全防范策略. 潍坊学院学报, 2005, 5(4): 37~39
[39] A. Aziz, W. Diffie. Privacy and authentication for wireless local area networks. Personal Communications, 1994, 1(1): 25~31
[40] 孙树峰, 贺墚, 石兴方. 802.11 无线局域网安全技术研究. 计算机工程与应用, 2003, 39(7): 40~42, 59
[41] 李庆, 唐学琴. 基于 IEEE802.11 无线局域网的安全性研究. 信息技术, 2005, 29(8): 152~155
[42] 崔玉文. 无线局域网安全问题的研究. 哈尔滨学院学报, 2002, 23(6): 118~119
[43] 沈芳阳, 李振坤, 林志. 无线局域网安全机制探讨. 广东工业大学学报, 2004, 21(3): 69~73
[44] Arbaugh W A, Shanker N, Wan Y C J. Your 802.11 network has no clothes [J]. IEEE Wireless Communications, 2002, 9(6): 44~51
[45] E. Dawson and L. Nielsen. Automated cryptanalysis of XOR plaintext strings. Cryptologia, (2): 165~181
[46] Mohamad Badra, Ibrahim Hajjeh. Key-Exchange Authenication Using Sharing Secrets. Computer, 2006, 39(3): 58
[47] Avishai Wool. Lightweight Key Management for IEEE 802.11 Wireless LANs with Key Refresh and Host Revocation. Wireless Networks, 2005, 11(6): 677
[48] R. Jueneman, S. Matyas, and C. Meyer. Message authentication. IEEE Communications Magazine, 23(9): 29~40
[49] G. Huston. TCP in a wireless world. Internet Computing, 2001, 5(2): 82~84
[50] Bruce Potter. Wireless Security Future [J]. Security & Privacy Magazine, 2003, 1(4): 68~72
[51] J. Mirkovic, P. Reiher. A Taxonomy of DDoS Attacks and Defense Mechanisms. ACM SIGCOMM Computer Communications Review. 2004, 34(2): 39~54
[2] 王欣靖, 李星. 通信与网络新技术点评. 第一版. 北京: 人民邮电出版社, 2003: 13~37
[3] 唐岗. 无线局域网综述. 现代通信, 2002, (8): 12~14
[4] A. Willig, K. Matheus, A. Wolisz. Wireless technology in industrial networks. Proceedings of the IEEE, 2005, 93(6): 1130~1151
[5] Jeff Dodd. Wireless Network Security. Smart Computing in Plain English, 2005, 16(11): 72
[6] 朱艳. 浅析无线局域网安全技术. 山东通信技术, 2005, 25(1): 1~4
[7] 张栋毅, 范跃华. 无线网络安全性研究. 现代电子技术, 2006, 29(1): 62~64, 68
[8] 张虎, 卫克, 陈伟鹏. 无线局域网安全研究的进展. 网络安全技术与应用, 2006, (2): 74~76
[9] 斯进. 无线局域网技术安全性现状分析及探讨. 网络安全技术与应用, 2006, (1): 74~76
[10] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Standard 802.11, 1999: 29~69
[11] 尹花子. 无线局域网安全漏洞剖析. 江汉大学学报, 2005, 33(4): 63~66
[12] H. Boland, H. Mousavi. Security issues of the IEEE 802.11b wireless LAN. Electrical and Computer Engineering, 2004, 1(1): 333~336
[13] 尹晓东. 无线网络安全防护体系的构建. 科技情报开发与经济, 2005, 15(24): 175~176
[14] Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn et al. 2005 CSI/FBI Computer Crime and Security Survey: 12~15
[15] Bryce H Peterson, William G Heninger, Craig J Lindstrom. How SECURE is your WIRELESS NETWORK? The Internal Auditor, 2006, 63(1): 60~65
[16] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: Medium Access Control (MAC) Security Enhancements. IEEE Standard 802.11i, 2004: 32~113
[17] Drew Robb. 802.11i Brings More Security To WLANs. Business Communications Review, 2006, 36(4): 52~54
[18] 梁峰, 史杏荣, 曲阜平. 基于802.1x认证与WEP结合使用提高WLAN安全性. 计算机工程与应用, 2006, 42(1): 147~150
[19] Frank Bulk. The ABCs of WPA2 Wi-Fi Security. Network Computing, 2006, 17(2): 65~67
[20] Michael Finneran. Wi-Fi Security-Are We There Yet? Business Communications Review, 2005, 35(11): 14~16
[21] Kjell J Hole, Erlend Dyrnes, Per Thorsheim. Securing Wi-Fi Networks. Computer, 2005, 38(7): 28
[22] 张帆, 马建峰. WAPI 实施方案的安全性分析. 西安电子科技大学学报, 2005, 32(4): 545~548, 592
[23] 林秀春, 全春来, 王清理. 基于效率提高和安全性完善的 WAPI 标准改进实现. 计算机工程与设计, 2006, 27(3): 449~450, 471
[24] 陈航, 陈占计, 陈中双. IEEE802.11i 标准与 WLAN 安全性分析. 电子工程师, 2005, 31(10): 66~68
[25] S. K. Miller. Facing the challenge of wireless security. Computer, 2001, 34(7): 16~18
[26] 王大虎, 翁翼飞, 杨维. 针对 IEEE802.11 标准的无线局域网的攻击和防卫研究. 中国安全科学学报, 2005, 15(2): 77~80
[27] 王艳春, 张晨霞. 无线网络安全研究. 齐齐哈尔大学学报, 2005, 21(2): 76~78
[28] 王曼珠, 何文才, 杨亚涛. 无线局域网 IEEE802.11 的安全缺陷分析. 微电子学与计算机, 2005, 22(7): 189~192
[29] Hal Berghel, Jacob Uecker. Wi-Fi attack vectors. Communications of the ACM, 2005, 48(8): 21
[30] 冯柳平, 刘祥南. 基于 IEEE 802.11 认证协议的 DoS 攻击. 计算机应用, 2005, 25(3): 546~547, 550
[31] 夏新军, 俞能海, 刘洋. WLAN 环境下拒绝服务攻击问题研究. 计算机工程与应用, 2005, 41(25): 129~132
[32] David Cieslak. Wireless Security Essentials. CPA Technology Advisor, 2006, 16(2): 84
[33] 杨吉云, 王铮, 金纯. IEEE 802.11b 的媒体访问机制. 重庆大学学报, 2002, 25(10): 113~116
[34] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: High-speed Physical Layer in the 5GHz Band. IEEE Standard 802.11a, 1999 Edition, 2000: 3~45
[35] L. M. S. C. of the IEEE Computer Society. Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: Further Higher Data Rate Extension in the 2.4 GHz Band. IEEE Standard 802.11g, 2003: 14~51
[36] V. Vlachos, S. Androutsellis-Theotokis, D. Spinellis. Security application of Peer-to-Peer networks. Computer Networks, 2004, 45(2): 195~205
[37] 刘元安. 宽带无线接入和无线局域网. 第一版. 北京: 北京邮电大学出版社, 2000: 57~92
[38] 王德杰. 无线局域网的安全防范策略. 潍坊学院学报, 2005, 5(4): 37~39
[39] A. Aziz, W. Diffie. Privacy and authentication for wireless local area networks. Personal Communications, 1994, 1(1): 25~31
[40] 孙树峰, 贺墚, 石兴方. 802.11 无线局域网安全技术研究. 计算机工程与应用, 2003, 39(7): 40~42, 59
[41] 李庆, 唐学琴. 基于 IEEE802.11 无线局域网的安全性研究. 信息技术, 2005, 29(8): 152~155
[42] 崔玉文. 无线局域网安全问题的研究. 哈尔滨学院学报, 2002, 23(6): 118~119
[43] 沈芳阳, 李振坤, 林志. 无线局域网安全机制探讨. 广东工业大学学报, 2004, 21(3): 69~73
[44] Arbaugh W A, Shanker N, Wan Y C J. Your 802.11 network has no clothes [J]. IEEE Wireless Communications, 2002, 9(6): 44~51
[45] E. Dawson and L. Nielsen. Automated cryptanalysis of XOR plaintext strings. Cryptologia, (2): 165~181
[46] Mohamad Badra, Ibrahim Hajjeh. Key-Exchange Authenication Using Sharing Secrets. Computer, 2006, 39(3): 58
[47] Avishai Wool. Lightweight Key Management for IEEE 802.11 Wireless LANs with Key Refresh and Host Revocation. Wireless Networks, 2005, 11(6): 677
[48] R. Jueneman, S. Matyas, and C. Meyer. Message authentication. IEEE Communications Magazine, 23(9): 29~40
[49] G. Huston. TCP in a wireless world. Internet Computing, 2001, 5(2): 82~84
[50] Bruce Potter. Wireless Security Future [J]. Security & Privacy Magazine, 2003, 1(4): 68~72
[51] J. Mirkovic, P. Reiher. A Taxonomy of DDoS Attacks and Defense Mechanisms. ACM SIGCOMM Computer Communications Review. 2004, 34(2): 39~54