Wireless Network Security Virtual Laboratory

Anthony LoBono, Mike Steffen, and Shishir GuptaAdvisor: Doug Jacobson

Client: George Amariucai

Introduction

• Problem: Iowa State University’s CPRE537: Wireless Network Security course does not provide a laboratory environment in which students, which include both distance education and on campus students, can conduct wireless security experiments.

• Solution: Create an environment which is accessible from anywhere in the world using real wireless hardware and a virtual machine server, and provide the software tools necessary forconducting experiments on wireless security.

Conceptual Sketch

Functional Requirements

• Remote access for both on campus and off campus students

• Support for at least four concurrent users

• Support for WiFi and Bluetooth experiments

• A web interface to manage hardware access

• Non – interference between users

• Comprehensive documentation for both administrators and students

Non-Functional Requirements• User friendly access interface

• Adequate network bandwidth

• Adequate system resources

• Real world network simulation

• Extension to support other wireless technology

GSM

RFID

Schedule

1st Semester• Preliminary hardware setup• Preliminary laboratory design• Wi-Fi demo laboratory setup

2nd Semester • Final implementation

Hardware interfaceWeb interface

• GSM / RFID experimentation • Final setup and final testing

Task ResponsibilityAs a small team of three members, each member is equally involved with all aspects of project. However, here is a very basic work breakdown:

• Michael Steffen – Hardware SpecialistMichael leads the design and setup of the hardware architecture and

virtual machine server

• Anthony LoBono - System SpecialistAnthony leads the design and setup of the software architecture and

the web interface

• Shishir Gupta - Security SpecialistShishir leads the design and setup of wireless security hardware and

software

System Architecture

•

ImplementationHardware Architecture

• Commodity x86 server hardware• USB wireless dongles (Ralink)• Consumer-grade routers• USB Bluetooth/RFID/etc tools

ImplementationSoftware Architecture

• Multilevel– Hypervisor– OS– Software tools– Scripts

• Mostly invisible to end user

ImplementationSoftware Architecture

• Hypervisor– Vmware vSphere Hypervisor 4.1

• Free license• Robust platform• Team familiarity• Ease of configuration

– Custom scripted via console SSH

• Virtual machines– Four transmit client nodes– Four attack nodes– One host config node– One administration node

ImplementationSoftware Architecture

• Dilemma: How to ensure environment is equally available to all?

• Solution: Each user has own VM– Remains off until requested– Radio config patched before boot

and stripped after logoff– Result: greater uptime for all users

ImplementationSoftware Architecture

• Scripts– Backend: Hypervisor scripted to allow statistics

gathering, power state mods, file operations– Frontend: Configuration upon creation of machines– Scripts for environment user management,

administration

• User interface– Web portal– Access to system status, user file operations,

documentation– Terminal or X server access to user’s attack and

transmit nodes• X access via Nomachine NX

ImplementationNetwork Architecture

• Intent: user environments separate from each other– Users MAC-locked to router

• Can be bypassed

• Transmit nodes blocked from communicating via firewall

• Routing of HTTP versus SSH traffic achieved via firewall, routing tables

• Radio separation achieved by manual channel configuration

Cost Estimate

VM Host Server $1250 (approx)Wireless Adapters $80 ($10 x 8)Bluetooth Adapters $160 ($40 x 4)Routers / Switches $130

Total $1620 (approx)

Start Environment

1. User asks the web portal to attach radios and power on user machines.

2. Web portal check the PHP session to confirm the user is logged in and get the user’s username.

3. Web portal tells the hypervisor communication class to power on the users machines.

4. Hypervisor class invokes the provision and boot script on the host machine through an SSH connection.

Adding A User

1. User requests to add user2. Web portal check to make sure

user is an administrator3. Web portal checks to see if user

already exists4. Web portal tells hypervisor

communication class to verify that the datastore has enough disk space

5. Hypervisor class tells host machine to verify and create user machines

6. Web portal saves username and password temporarily.

Adding A User7. Web portal tells the control

machine to add the configuration script to crontab

8. Configuration script checks to see if the host machine is done creating user machines every five minuts

9. When ready, the script reads the username and password from the control machine

10. The script tells the hypervisor class to power on the user’s machines

11. The script runs commands over SSH to configure the virtual machines

12. User gets added to the database

Web Interface

Web Interface

Web Interface

Web Interface

Web Interface

Creating Users

• Results – Both creating individual user’s virtual machines and batch creating user’s virtual machines was successful

• Known Issues – Better functionality should be implemented for alerting and administrator when this process is completed.– If the portdef table in the MYSQL database becomes corrupt new virtual machines will not be configured correctly, nor will they be accessible from outside the firewall.

Removing Users

• Results – Tests for removing virtual machines were successful

• Known Issues – When removing individual users from the pordef table in the MYSQL Database their assigned ports will not be able to be used again until all users are removed.

Change Account Passwords

• Results – The system was able to catch all combinations of characters we tested without error.

• Known Issues– None

Powering Down Machines

• Results – The system was able to power down a user’s machines. The web interface was also successful in powering down machines from both the user session and the admin session.

• Known Issues – Powering down a user’s machine while it is being backed up fails.

Backing Up And Restoring Machines

• Results – The system was mostly successful in this process. A few test resulted in failure however the failures were not reproducible.

• Known Issues – If a user restores his or her working image from a backup after being assigned new ports on the firewall the machine will no longer function properly. However the current implementation should not allow a users ports to be redefined.

Attaching Radios And Booting

• Results – All tests for the system resulted in success.

• Known Issues – With the current implementation only non-cascading USB hubs can be used with the server. Cascading hubs cause the ‘getavailibleusbdevices.sh’ script to fail.

Wireless ExperimentationEnvironment

Each user -> Remote access to two virtual machines

Attack Machine

-Backtrack 5 R1-NX Server-SSH Server-Attack Tools

Client Machine

-Ubuntu 10.04 (LTS)-NX Server-SSH Server-Traffic Generators

Wi- Fi + BluetoothThe laboratory currently supports experimentation for Wi-Fi and Bluetooth.

Wi-Fi Bluetooth Hardware USB Wi-Fi Adapter (Rosewill RTL-8187) Wireless Router (D - Link XXXXX)

Software Backtrack Tools Lorcon (packet injection) Airpwn (Wi-Fi spoofing) Scapy (packet injection) coWPAtty (WPA cracking)

Hardware USB Bluetooth Adapter (Linksys BT100)

Software Backtrack Tools

Laboratory ExtensionThe coursework for the class does not limit to a specific wireless technology and instead touches different wireless technology.

Wi-Fi Bluetooth

GSMRFID

As part of this senior design project, client requirements insisted initial integration of at least Wi-Fi and Bluetooth and optional extension or preparatory work for future extension to other technology.The team researched and performed experiments with a SDR platform to potentially integrate GSM, RFID and maybe other technology in the future.

HardwareUniversal Software Radio Peripheral (USRP)

USRP version 1Daughterboards

LF RX (DC-30 MHz RX)TV RX (50-870MHz RX)DBSRX (800MHz-2.4GHz RX)RFX2400 (2.3-2.9 GHz RX+TX)

AntennasUSB Connector

SoftwareGNU Radio + Universal Hardware Driver(UHD)

Core Framework AirProbe (GSM decoder)RIDAC (RFID toolkit)DSP Buttler (signal processing)

Experiments Performed

Wireless jammingGNU Radio Signal Generator

GSM receiving/decodingAirProbe GSM RX/sniffer

RFID captureRIDAC RFID audit toolkit

Wireless RF spectrum analysisDSP ButtlerBaudline RF spectrum analyzer

*Note – All experiments were conducted using open source software available on the internet.

Spectrum Analysis

GSM Capture

Additional Problems / Notes• The RSA private key for the web user must remain unencrypted.• Before the configure machines script can work, the web user must accept

the RSA id from the SSH server on the stock images.• Before the configure machines script can work the RSA public key for the

web user must be added to the root users ‘authorized_keys’ file on both stock images.

• When restoring user images from the stock image, the image was no longer functional. The solution was to edit the configuration script to see if the user already exits. If the user does exist the script looks up the user in the portdef table in the MYSQL database and configures the machine accordingly.

• Currently for a new user to be created there must be at least 70 gigabytes of free space on the requested datastore. This is to account for user backups. A more space efficient method should be investigated.

Additional Problems / Notes• Currently the firewall is only configured to allow 100 users on the system.

Given the diskspace constraint listed above this is not really an issue. However, the firewall should be reconfigured and the machine configuration script should be modified to allow more than 100 users on the system.

• Currently when a user’s allotted session time comes to an end, the user’s machines are powered down. Since we made the switch from PCI cards to USB devices it is now possible to ‘hot plug’ the devices. Now when a user’s session comes to an end, the devices attached should be removed and the machines remain powered on. This change would prevent data loss.

• To allow for the PHP scripts to write log files to ‘/var/log/wseclab.d/FILENAME’ the web user Apache server runs as needed to be added to the log group.

• To allow for the web user Apache server runs as to schedule cron jobs, the web user had to be added to the user group.

Testing

• Our original plan was to have a closed beta test for this semester’s Computer Engineering 537 class. However, Computer Engineering 537 was not offered this semester so we acted as the test subjects. We test all the use cases in appendix A with a large amount of success.

Questions