Shark: A Wireless Internet Security Test Bed Senior Design Project May07-09 Stephen Eilers Jon Murphy Alex Pease Jessica Ross

What is SHARK? SHARK is a wireless security network to be used to study security related issues on wireless networks Meant to be a tool to teach interested students about wireless security Also meant to report statistics about attackers and methods used to researchers at ISU

Intended Users Primary –College students in computer related fields –Most likely ages 18 to 22 and male –Should already know the basics of wireless networking –Most likely uses a UNIX-based OS Secondary –Interested community members –People around campus looking for a free access point

Intended Uses Primary –To be used as a learning tool for students –To be used as a means of gaining information about methods of attack

Assumptions Software shall be freeware Traffic analyzer should be able to monitor connections, packet traffic, and activity inside of machines hosting WAPs Traffic generator shall generate authentic traffic Web server shall be secure Web server shall log names, s, and MAC addresses of prospective hackers There will be five levels of difficulty

Limitations Wireless access points must be portable Initial build of SHARK must consist of three or fewer computers SHARK must be built within a $150 budget

SHARK Node

SHARK – Software OS - Ubuntu –Linux operating system –Free/Open-source software –Latest distribution in Debian family –Excellent documentation and support –User Interface is easy to use

SHARK – Software Squid –Web proxy cache –Fairly well documented –Free, open-source software –Supports our needs and more Allows for use as transparent proxy Port 80 forwarding on SHARK and all 7-of-9 traffic to web Rest of traffic on shark, tunneled to virtual Machine

SHARK – Software Apache –Free, open-source software –Well documented –Used to create local web-server login/registration Keep track of users –Used to help analyze results –Monitor individuals and their specific techniques –Ability to determine what hardware is in use

SHARK – Software MySQL –Well documented –Free/Open Source software –Easy to use –Database Locally used store user login/registration Store captured data

SHARK – Software WireShark/Ethereal –Free/Open-Source Software –Well Documented –Experience using software –Network Protocol Analyzer Uses second wireless card Captures all traffic on SHARK Network –Attack attempts –Generated traffic

Levels of Security SHARK has five levels of security –Guppy No security, used for basic registering on network –Clownfish WEP security –Swordfish Rotating WEP security –Barracuda WPA security –SHARK RADIUS security Each level provides statistical data on hacking patterns

7-of-9 Off-the-Shelf wireless access point –Provides easy installation of open wireless network –Connects to Hub to provide generic internet access for comparison –Traffic is captured and analyzed on SHARK node.

Traffic Generator – Baiting the Hook To break WEP and WPA encryption, attackers must analyze thousands of packets – Not just any packets, but ARP packets Void11 –Forces the generator to disconnect from the network by generating de-authentication packets Homebrew daemon –will be running to reconnect the generator to the SHARK network when it gets disconnected –Acting as a normal user

Traffic Generator – Baiting the Hook Void11 + daemon = ARP flooding –Can produce on average of 75,000 ARP packets/hour ARP packets contain Initialization Vectors a block of bits that is required to allow a stream or block cipher executed in any of several streaming modes without having to go through a re-keying process. Takes 50k – 200k IV’s to crack 64-bit WEP Takes 200k – 700k IV’s to crack 128-bit WEP Takes 500k – 1 Million IV’s to crack WPA- PSK

Secure Tunneling VPN – Virtual Private Network – Provide secure communications over unsecured networks for data integrity Benefits – extensible and easy to manage while providing the level of security we desire Downsides – if the machine itself is compromised, they have direct access Solution – using scripts we are able to “on-the-fly” configure the SHARK box

Secure Tunneling – VPN One of the only ways to provide a secure and extensible way to access the SHARK machines Need the ability to create multiple VPN sessions, so a VPN server is required Multiple solutions available –Point to Point Tunneling Protocol –Layer 2 Tunneling Protocol –Secure Sockets Layer

Electrical View

Electrical View Pros/Cons One external IP Firewall branches Lots of port forwarding

Port Forwarding External->Internal 10022(non tunnel) -> Virtualnet(ssh) 10023(non tunnel)-> Smallbox(ssh) 10024(non tunnel)-> Sharkweb(ssh) 80(non tunnel)-> Sharkweb(http) All other tunnel -> Virtualnet All other non tunnel -> dropped

Machine Breakdown

Sharkweb OS FreeBSD WebserverApache Web UtilitiesMySQL, PHP

SmallBox OS SuSE LINUX Packet CaptureWireShark FilterSnort WebserverApache

Virtualnet OS Ubuntu Virtual Machine ManagerXen

Virtual Machine 1(trophy) OSFreeBSD Remote Log onSSH WebserverApache MailSquirrelmail Programming Gcc, G++

Virtual Machine 2 OSDebian Linux UtilitiesTarPit

Virtual Machine 3 OSRedHat SoftwareHoneyD

Design Evaluation Form SHARK Wireless Network Functionality Relative Importance Evaluation Score Resultant Score Create Secured Wireless Network20%100%20% Virtual Net to direct user traffic to.10%100%10% Web server to register users10%100%10% Generate traffic to populate the network10%100%10% Security levels for users to break through.15%80%12% Secure tunnel from SHARK node to15%60%9% Capture data from access attempts.10%100%10% Analyze captured data10% 1% Total100%82%

Questions?