[(NORSlar.ORG ADVERTISING Wireless security has become very important as the use of wireless networks increases.A attackers are looking for exploits on standardized wireless security and attacking them using various methods for various purposes.These attacks sometimes cause simple damages, the main purpose of these attacks is to seize the secret key, to sabotage the transmission of other legal users by cutting off the communication of the wireless network. While establishing the 802.11i secure wireless networking standard, IEEE has attempted to improve security algorithms by eliminating the vulnerabilities of early-time security standards used in wireless networks such as WEP. This development and security in wireless networks has been directed at the attack methods of attackers. However, Martin Beck and Erik Tews have developed a method of breaking WPA cryptosystem using TKIP developed after November 2008 in WEP, showing that wireless networks can be cracked with some attack methods despite the improvements in wireless security. These Attack Methods are included in the literature. In this article, I will try to share with you the types of attacks on wireless networks by classifying them according to their purpose and classifying them according to their frequency of use. Classification of Attacks Made to Wireless Networks by Method and Type A number of attacks are being developed that will affect the potential threats to wireless networks and when they are used. In this article, I would like to create a reference list of attacks or threats against 802.11 and 802.1X. By separating into categories according to threat types, we will examine the methods of attackers who use these threats and the tools they use. Types of threats can be classified as follows; a) Access Control Attacks b) Confidentiality Attacks c) Integrity Attacks d) Authentication Attacks e) Availability Attacks a) Access Control Attacks These attacks are called network ingress by listening to radio frequencies secretly against Wireless Network access control measures such as Access Point MAC filtering and 802.1X port access control. Wardriving is the first and most well-known wireless network detection method (of course, unsecured or low-security ) , in short, understanding the access control measures found in the Wireless Network and penetrating them and entering the system . It is usually used with a mobile unit, such as a laptop or handheld computer. Wardriving scan is extremely expert and very simple : An attacker can detect a wireless network while sitting in a laptop or handheld computer. Once an appropriate AP has been detected, the attacker can then identify and investigate it as an available folder. And it can even prevent it from reaching the internete . The word 'war' used for wardriving actually comes from Wardialing, which was used in ancient times. Wardialing can be defined as finding the line where the modem is plugged in by trying all the possibilities of a telephone number to use for offensive purposes. Wardriving used in this article is also used in the same logic for wireless networks. Unauthorized Access Point (Rogue Access Point) An unauthorized access point is APs that are used by malicious people who want to access sensitive information, or that have not had enough security knowledge, for their own or corporate use. In both cases, these unauthorized APs security threats. Unauthorized APs will cause interference and reduce system performance. Even worse, it causes unauthorized people (attackers) to access the network. Wireless network stops can be associated with an unauthorized AP that is closer to them than the AP that they are associated with. This occurs when WEP is not enabled. An attacker who gains access from an unauthorized AP can access other network stops associated with the unauthorized AP. The fact that an unauthorized AP is also connected to the wired network also allows attackers to access the wired network. Mac Address Fraud (Mac Spoofing) ALC (Access Control Lists) provide an acceptable level of security when strong identification forms are used. Unfortunately, the same thing does not apply to MAC addresses. MAC addresses can be easily listened to by the attacker as unencrypted text even when the WEB is available. In addition, the MAC addresses of wireless network cards can easily be changed with a software tool. The attacker is able to penetrate the network using all these advantages. It's very easy to listen to the MAC address. Using packet capture software, the attacker detects a used MAC address. If it allows the wireless network card it uses, it can change its MAC address to the new MAC address it finds and it is ready now. If the attacker has wireless networking equipment in the vicinity, and if there is a wireless network nearby, then he can now do a deception attack. the attacker should adjust to his own AP based on a wireless network near him or to a victim who believes it is an internet presence he can trust. The signals of this fake AP are stronger than the real AP. So the victim will choose this fake AP. Once the victim begins to communicate, the attacker will steal his password, network access and all other important information. The general aim of this attack is actually to catch the password. There are several ways to do this. We can make our own address change. When we send an Ethernet frame over the network, we can intervene in this area through the software and configure it from scratch. Some cards help to regulate MAC addresses through control settings in Windows. Address in card We can renew. It needs a writing that knows the properties of the chipset used for it and it is possible to assign a new address on the card. The MAC addresses of the ethernet cards on the motherboard can also be changed in BIOS settings. Linux users can change their MAC addresses using a single parameter, such as "ifconfig", without the deceptive software. At the same time, many programs that change the Mac address are available on the Internet. Ip Spoofing While developing a family of TCP / IP protocols that allows the Internet to work, security is as flexible as possible She was treated. This flexibility allows IP addresses to be spoofed. Internet spoofing can be done by someone else's IP address. Our last sentence is valid for ten years before, but is practically invalid nowadays. The main reason for this is that they provide a permanent solution to the problems of today's modern operating systems. Especially on the Internet, TCP is at the basis of most commonly used protocols like HTTP, SMTP, HTTPS, and it uses a method to prevent this type of forgery. Connecting to a Non-Secure Network (Adhoc Associations) It allows vehicles to communicate directly with each other. Vehicles can move around the network and can be connected to any vehicle within their coverage area. There is no base station. The nodes only communicate with other nodes in the coverage area. Knots organize themselves in the network. 802.1x Radius Cracking is the method of obtaining RADIUS secrets from 802.1x access requests via brute force to use Evil Twin AP. In other words, the attacker will attack the data packets on the network path between the local area networks or the access point and the RADIUS Server. b) Confidentiality Attacks Whether you have high-layer protocols, encrypted or open transmissions in 802.11, these attacks attempt to block private information sent over wireless links. Eavesdropping Eavesdropping is a way of getting data transmitted over a network or channel by interfering with malicious third parties. In this type of attack, it is even possible to get the data from the source to the target in the meantime, and send it to the target by changing it. This attack, called "eavesdropping" in English , has a very different application area, contrary to what it is supposed to be. Even a stand-alone computer that does not interact with any computer can be viewed as an electronic device such as a microchip, can be secretly rested by following the electric or electromagnetic radiation emitted from the parts. In order for these devices to not allow such audiences, the American government developed a standard called TEMPEST starting in the middle of the 1950s. Wep Key Cracking Multiple articles related to WEP vulnerabilities have been published. Due to WEP's weaknesses, more secure standards such as advanced WPA and WPA-2 have been established today. These exploits of Wep allow attackers to regulate active or passive attacks. The purpose is to break the WEP key. The frequency band is rested and the result is tried to be achieved. Passive Attackers are attacks made according to the results obtained from the conflicts of the IV, and active attacks are Attack attacks and replay attacks. Evil Twin Ap (Evil Twin Ap) To confuse the system, attackers can create a similar Access Point that is in use and allow users to use the Access Point. Thus, all the information of the user entering the created twin AP can be obtained. Ap Phishing Attackers can set up a Web server after users connect to the Evil Twin AP and redirect those attackers to various web pages to collect information about the victim's site via malicious code on the page. Man In The Middle In this attack method, bucket brigade attack is given in different sources in this area. The analogy here comes from the chases that firemen used to handle in the old days and used to put out the fire. In this attack, the attacker inserts itself to capture the communication between the target two computers. Rather than sending the data directly between the two destinations, the attacker is intercepted and sent out. But it can not understand this process on two computers. 1.) The wireless attacker can attack the middle man to two separate users who have the same key on the wired AP on the wired network. 2.) A wireless attacker can attack a man in the middle of a hub or key where the AP is plugged in via a wireless user. 3) Wireless attacker different in each AP to users who access points, which can carry out an attack, including c) Integrity Verification Attacks (Integrity Attacks) to facilitate other forms of attacks and or the attack in order to mislead the buyer, fake control, management and either over wireless DoS attacks that send data packets are examples of this. DoS attacks are examined as a separate section. 802.11 Packet Injection (Frame Injection) This method sends fake 802.11 packets to access points or to the attacker, allowing the source to be out of service or to release the necessary information after a while. It has a wide variety of programs. Programs that are important for these programs, or in other words spraying, apply this logic. a) First the Access point is searched. b) Openings are searched. c) De-Authentication and De-association attacks for packet spoofing. d) Not all hardware drivers are supported. 802.11 Data Repeating (802.11 Data Replay) For an attacker to recover both packets, it is also intended to repetitively repackage these packets. There are duplicate recordings and packet repetitions in the job. 802.1x EAP Repeat (802.1x EAP Replay) is for capturing packets from 802.1X Extensible Authentication protocols. (Extensible Authentication Protocols) (Capture packets such as EAP ID, Success, Error) 802.1x Radius Repeat (802.1x Radius Replay) RADIUS Access is to capture Accept or Reject messages. It is the next step in performing the attack again between the access point and the authentication host machine. d) Authentication Attacks Intruders use these attacks to steal identity and identity information of legal users to connect to a private network or service. Availability Attacks These attacks are used to reduce or prevent the efficiency of wireless services for legitimate users. . The goal is to prevent these users from accessing WLAN resources, but also to reduce their resources . DoS Attacks DoS attacks are the type of attack aimed at disrupting the operation or stopping the service running on the system. An attacking client tries to block access to information or services from other legal clients. Such attacks are not aimed at breaking passwords or stealing information. These attacks try to stop the service in two ways: * By consuming concepts such as processor, memory, bandwidth, etc. * Using a weakness in the protocol or the service The DoS technically works as follows: The attacking computer sends a request to a web site or server, the server responds to this request, the attacker continually sends these requests to the server, and the server becomes unavailable. It consumes resources. As a result, other users can not access the web site or access point. In addition, DoS attacks can be used in Spam E-mail messages to prevent other messages from appearing. DoS attack indicators: * Unacceptable low network performance * Slow access to a web site * Increase of Spam E-mails in an e-mail box * Unavailability of certain parts of your website There are many types and techniques of DoS attacks. Nowadays, most companies produce software or hardware to prevent and understand DoS attacks. However, DoS attacks are still affecting access devices or websites, which still have some security weaknesses. DoS Attack Types * TCP / SYN Flood Attack: This attack type is a classic DoS attack and is not very effective in modern commercial computer systems as it is counteracted by this attack. According to this attack technique, the SYN (Synchronize) packets arriving at the target system fill the memory of the target system. The server that is full of memory is unable to serve clients connected to the other system. First, see how to connect from client to server and from which steps. This event consists of 3 steps 1. The client sends a SYN packet with information about itself to connect to the server machine (such as Web, Telnet, Mail, FTP) 2. The server receives this SYN packet and sends the client by combining the SYN packet with the acknowledgment (ACK) (ACK + SYN) 3. The client retrieves these packets from the server and sends an ACK packet indicating that they are received. So the connection is started. It is a normal connection described above. When we look at the attack part of the work, in step 3, if the ACK packet to be sent to the server is not sent to the server, the server does not wait for the client ACK packet and waits for a while. During this wait, if the client creates a connection request again and does not send the 3rd ACK packet to the server every time, the server saves these requests to the memory for each connection. When the process is done after that , we will fill in the memory of the client . When this server's memory is full, the other users can no longer answer the server. This shows us that a TCP / SYN flood attack has been done. * TCP Replay Flood Attack It is providing a high amount of data from ports where it is open to a wireless access point to swell the memory. In this technique MAC Spoofing or IP Spoofing methods are used together to increase the severity of the attack. * Land Attack Land attack is a type of DoS attack that operates with the same source and destination, ie sending spoofed packets containing victim IPs and ports as fake IPs. This package contains a link request that results in a handshake process. The hand-compression process eventually the victim sends an acknowledgment (ACK). Since the target and source coordinates are the same, the victim receives the package of requests it sends. The received data does not match the type expected by the victim, so the ACK request is sent again. This process continues until the network crashes. In this type of attack, attackers (hackers) invade the network with SYN packets using the IP address of the target system as the source IP address. In this case, the host computer seems to have sent the packages to itself. In this case, when the target system tries to respond to itself, the system becomes unavailable. * Brute-Force Attack Brute-force attack, for example 'Smurf' attack, this type of attack infects computer network unnecessarily. They use the directed or subnet broadcasting feature for IP invocation. The attacker using this attack selects the destination address of packets as the broadcast address of the network. In this case, the router will send an ICMP echo request to all hosts in the network. If there is a host on the network, this will generate a large amount of ICMP echo request packets. Broadcast celi will consume the current band width. In this case communication will not be possible. * IP Spoofing Attack Ip Spoofing is used to enter systems, to hide an attacker's identity, or to magnify the effect of a DoS attack. IP Spoofing is a technique that tricks a router or firewall into trying to make sure it comes from a reliable network of your choice. This provides unauthorized access to the systems. The attacker will change the package header to do this. At this point, the package appears to come from a trusted network, and the router or firewall allows the passing of permissions to these packets. * Ping Flood Attack Ping Flood is a basic DoS attack type. According to this technique, attackers fill in the bandwidth of the system by sending ICMP packets in large size (65000) to victim systems. So they sabotage the network communication. An example is the Ping of Death. The Ping of Death event uses the "PING" application to generate IP packets that exceed the 65535 byte data limit allowed in IP identification. The normally larger packet is then sent to the network. Systems can crash, stall, or shut down. * Teardrop Attack Teardrop exploits the weakness of reassembling IP packets. When the data is transmitted through the networks, usually smaller pieces are separated. Each piece looks like the original package. But the exception is offset. The Teardrop program creates a set of IP packet fragments. These parts have overlapping offset areas. When these particles are recombined at the point of arrival, some systems can collapse, stall, or shut down. * UDP Flood Attack It is a fast but insecure communication protocol. The sender sends the data but does not check to see if it has arrived. It is preferred in situations where speed is important. This type of attack is a DoS attack using UDP (User Datagram Protocol) from computer network protocols. Using UDP for DoS attack is not as easy and as open as TCP. On the contrary, the UDP Flood Attack can attack by sending large UDP packets to the random ports on the remote access point. The general logic is to send packets from forged IP addresses. The use of IP Spoofing is mandatory. For example, if you are doing a computer flood (flood), you have to calculate whether or not you are going too quickly, as it does not go right. Distributed DoS Attack DDoS, trojan and many other systems to attack the target is to provide software. These systems are called zombies. Ending the network bandwidth and destination resources can be the purpose of the DDOS attack. Features of DDOS attack: * DDOS attack is difficult to detect and prevent from coming from many different IP addresses. But attacks from a single system, a single IP address, can be prevented. * In this type of attack the target services are the victims. Seized zombie systems that attack unwittingly are the 2nd victim. * Wide angle and coordinated attack on target's services.